b"                          Office of Inspector General\n                         Corporation for National and\n                                  Community Service\n\n\n\n\nFEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)\n\n                           INDEPENDENT EVALUATION FOR FY 2013\n\n\n\n                                                       OIG REPORT 14-03\n\n\n\n\n                                                     1201 New York Ave, NW\n                                                                  Suite 830\n                                                      Washington, DC 20525\n\n                                                                (202) 606-9390\n\n\n\n\n   This report was issued to Corporation management on December 16, 2013.\n   Under the laws and regulations governing audit follow-up, the Corporation is to\n   make final management decisions on the report\xe2\x80\x99s findings and\n   recommendations no later than June 16, 2014, and complete its corrective\n   actions by December 15, 2014. Consequently, the reported findings do not\n   necessarily represent the final resolution of the issues presented.\n\x0c                                      December 16, 2013\n\n\nTO:           Kim Mansaray\n              Chief Operating Officer (Acting)\n\n\nFROM:         Stuart Axenfeld\n              Assistant Inspector General Audit\n\n\nSUBJECT:      Federal Information Security Management Act (FISMA)\n              Independent Evaluation for FY 2013 (OIG Report Number 14-03)\n\n\nAttached is the final report on the Office of Inspector General\xe2\x80\x99s (OIG) Report 14-03 \xe2\x80\x9cFY13\nFederal Information Security Management Act (FISMA) Evaluation for the Corporation for\nNational and Community Service.\xe2\x80\x9d This evaluation was performed by Kearney & Company, P.C.\nin accordance with the Quality Standards for Inspection and Evaluation promulgated by the\nCouncil of Inspectors General on Integrity and Efficiency (CIGIE).\n\nKearney & Company, P.C. has determined that the Corporation has limited assurance that its\nInformation Security Program is compliant with the FISMA legislation, applicable Office of\nManagement and Budget (OMB) guidance, and National Institute of Standards and Technology\n(NIST) Special Publications (SP). Their evaluation identified 30 instances of noncompliance\nwith OMB guidance and NIST SPs. These areas of noncompliance are grouped into six\nfindings, resulting in nine recommendations to strengthen the Corporation\xe2\x80\x99s Information Security\nProgram.\n\nShould you have any questions about this report, please contact Guy Hadsall, Chief Technology\nOfficer/OIG at 202-606-9375.\n\nAttachment\n\ncc:\nPhilip Clark, Chief Information Officer\nLloyd Samples, Chief Information Security Officer\n\n\n\n\n                   1201 New York Avenue, NW \xef\x82\xab Suite 830 \xef\x82\xab Washington, DC 20525\n                      202-606-9390 \xef\x82\xab Hotline: 800-452-8210 \xef\x82\xab www.cncsoig.gov\n\x0c FY 2013 Federal Information Security\n     Management Act Evaluation\n                                  for the\n\nCorporation for National and Community\n                Service\n\nRQ#: OIG1302130001, Amendment CNSIG-13-Q-0002\n\n\n                          December 13, 2013\n\n\n\n\n                                   Point of Contact:\n                               Tyler Harding, Principal\n                             1701 Duke Street, Suite 500\n                                Alexandria, VA 22314\n                         703-931-5600, 703-931-3655 (fax)\n                           tyler.harding@kearneyco.com\n   Kearney & Company\xe2\x80\x99s TIN is 54-1603527, DUNS is 18-657-6310, Cage Code is 1SJ14\n\x0c                                                                                                            CNCS FY 2013 FISMA Evaluation\n                                                                                                                   Final Report for FY 2013\n\n\n\n                                                     TABLE OF CONTENTS\n                                                                                                                                      Page #\n\n1.      BACKGROUND ................................................................................................................... 3\n     1.1 Overview .......................................................................................................................... 3\n     1.2 FISMA.............................................................................................................................. 3\n     1.3 NIST Security Standards and Guidelines ......................................................................... 4\n     1.4 DHS\xe2\x80\x99s FISMA Responsibilities ....................................................................................... 5\n     1.5 Scope ................................................................................................................................ 6\n\n2.      SUMMARY RESULTS ........................................................................................................ 6\n\n3.      FINDINGS ............................................................................................................................. 8\n     3.1 ISCM Strategy .................................................................................................................. 8\n     3.2 Risk Management ........................................................................................................... 11\n     3.3 Security Awareness and Training .................................................................................. 15\n     3.4 Evaluation of Agency POA&M Process ........................................................................ 18\n     3.5 Evaluation of Contractor Oversight ............................................................................... 19\n     3.6 Identity and Access Management Controls .................................................................... 22\n\nAPPENDIX A: MANAGEMENT\xe2\x80\x99S RESPONSE .................................................................... 25\n\nAPPENDIX B: KEARNEY\xe2\x80\x99S AND OIG\xe2\x80\x99S ANALYSIS OF PLANNED ACTIONS ........... 37\n\nAPPENDIX C: RESULTS FROM NCCC AND STATE FIELD OFFICE\n  ASSESSMENTS .................................................................................................................... 53\n\nAPPENDIX D: ABBREVIATIONS AND ACRONYMS ........................................................ 54\n\nAPPENDIX E: REFERENCED DOCUMENTS ..................................................................... 55\n\x0c                                                                         CNCS FY 2013 FISMA Evaluation\n                                                                                Final Report for FY 2013\n\n\n\nDecember 13, 2013\n\n\n\nHonorable Deborah J. Jeffrey\nInspector General\nOffice of Inspector General\nCorporation for National and Community Service\n1201 New York Avenue, NW, Suite 830\nWashington, D.C. 20525\n\n\nDear Ms. Jeffrey:\n\nThis report presents the results of Kearney & Company, P.C.\xe2\x80\x99s (defined as \xe2\x80\x9cKearney,\xe2\x80\x9d \xe2\x80\x9cwe,\xe2\x80\x9d and\n\xe2\x80\x9cour\xe2\x80\x9d in this report) independent evaluation of the Corporation for National and Community\nService\xe2\x80\x99s (the Corporation) Information Security Program and practices. The Federal\nInformation Security Management Act of 2002 (FISMA) requires the Corporation to develop,\ndocument, and implement an agency-wide Information Security Program to protect its\ninformation and information systems, including those provided or managed by another agency,\ncontractor, or source. Additionally, FISMA requires the Corporation to undergo an annual\nindependent evaluation of its Information Security Program and practices, as well as an\nassessment of its compliance with FISMA requirements. The Corporation\xe2\x80\x99s Office of Inspector\nGeneral (OIG) contracted with Kearney to perform an independent fiscal year (FY) 2013 FISMA\nevaluation of the Corporation\xe2\x80\x99s information technology (IT) policies, procedures, and practices.\nWe are pleased to provide this FY 2013 FISMA Independent Evaluation Report, which details\nthe results of our review of the Corporation\xe2\x80\x99s Information Security Program.\n\nThe objectives of the evaluation were to:\n\n   \xe2\x80\xa2   Determine the efficiency and effectiveness of the Corporation\xe2\x80\x99s IT policies, procedures,\n       and practices\n   \xe2\x80\xa2   Review a representative subset of the Corporation\xe2\x80\x99s information systems\n   \xe2\x80\xa2   Assess the Corporation\xe2\x80\x99s compliance with FISMA and related information security\n       policies, procedures, standards, and guidelines\n   \xe2\x80\xa2   Evaluate personally identifiable information (PII) protection and physical controls at field\n       office sites\n   \xe2\x80\xa2   Prepare the Corporation\xe2\x80\x99s responses to the Department of Homeland Security\xe2\x80\x99s (DHS)\n       FY 2013 Inspector General (IG) FISMA Reporting Metrics, dated November 30, 2012.\n\nKearney\xe2\x80\x99s methodology for the FY 2013 FISMA evaluation included testing a subset of the\nCorporation\xe2\x80\x99s systems for compliance with selected controls covered by the National Institute of\nStandards and Technology\xe2\x80\x99s (NIST) Special Publication (SP) 800-53, Revision (Rev.) 3,\nRecommended Security Controls for Federal Information Systems and Organizations. Our\nevaluation methodology met the Quality Standards for Inspection and Evaluation, promulgated\nby the Council of Inspectors General on Integrity and Efficiency (CIGIE), and included\n\n\n\n                                                1\n\x0c                                                                        CNCS FY 2013 FISMA Evaluation\n                                                                               Final Report for FY 2013\n\n\n\ninquiries, observations, and inspection of Corporation documents and records, as well as direct\ntesting of controls.\n\nThe Corporation\xe2\x80\x99s Information Security Program incorporates security requirements required by\nFISMA, and updates them as guidance changes. For example, the Corporation is currently\ntransitioning from NIST SP 800-53, Rev. 3 to NIST SP 800-53, Rev. 4, Security and Privacy\nControls for Federal Information Systems and Organizations, to increase assurance that security\ncontrols have been adequately implemented and assessed. The Corporation is also continuing to\nupdate its information security policies and procedures; oversee its primary technology\ncontractor, SRA International, Inc. (SRA), and other contracted services; and provide training in\nproper protection of PII for field office personnel.\n\nWe conclude that the Corporation has limited assurance that its Information Security Program is\ncompliant with the FISMA legislation, applicable Office of Management and Budget (OMB)\nguidance, and NIST SPs. Our testing identified 30 instances of noncompliance with OMB\nguidance and NIST SPs, itemized in Appendix C: Responses to DHS\xe2\x80\x99s FY 2013 IG FISMA\nReporting Metrics. These areas of noncompliance are grouped into six findings, and our report\nincludes nine recommendations to strengthen the Corporation\xe2\x80\x99s Information Security Program.\nAppendix A provides the Corporation\xe2\x80\x99s response to the draft FISMA report.\n\nIn closing, we appreciate the courtesies extended to the Kearney FISMA Evaluation Team during\nthis engagement.\n\nSincerely,\n\n\n\n\nKearney & Company, P.C.\nAlexandria, Virginia\n\n\n\n\n                                               2\n\x0c                                                                           CNCS FY 2013 FISMA Evaluation\n                                                                                  Final Report for FY 2013\n\n\n\n1.        BACKGROUND\n\n1.1       Overview\n\nIn 1993, the Corporation was established to connect Americans of all ages and backgrounds with\nopportunities to give back to their communities and their nation. Its mission is to improve lives,\nstrengthen communities, and foster civic engagement through service and volunteering. The\nCorporation\xe2\x80\x99s Board of Directors and Chief Executive Officer (CEO) are appointed by the\nPresident and confirmed by the Senate. The CEO oversees the agency, which employs about\n600 employees operating throughout the United States and its territories. The Board of Directors\nsets broad policies and direction for the Corporation, and oversees actions taken by the CEO with\nrespect to standards, policies, procedures, programs, and initiatives, as are necessary to carry out\nthe mission of the Corporation.\n\n1.2       FISMA\n\nFISMA was enacted into law as Title III of the E-Government Act of 2002 (E-Gov) (Public Law\n[P.L.] 107-347, December 17, 2002). Key requirements of FISMA include:\n\n      \xe2\x80\xa2   The establishment of an agency-wide Information Security Program to provide\n          information security for the information and information systems that support the\n          operations and assets of the agency, including those provided or managed by another\n          agency, contractor, or source\n      \xe2\x80\xa2   An annual independent evaluation of the agency\xe2\x80\x99s Information Security Program and\n          practices\n      \xe2\x80\xa2   Testing of the effectiveness of information security policies, procedures, and practices of\n          a representative subset of the agency\xe2\x80\x99s information systems.\n\nFISMA outlines the information security management requirements for agencies, including the\nrequirement for an annual review and independent assessment by each agency\xe2\x80\x99s IG. The statute\nalso requires minimum standards for agency systems. The annual assessments are intended to\nassist agencies in developing strategies and best practices for improving information security.\n\nIn addition, FISMA requires Federal agencies to implement the following information security\npractices:\n\n      \xe2\x80\xa2   Periodic risk assessments\n      \xe2\x80\xa2   Information security policies, procedures, standards, and guidelines\n      \xe2\x80\xa2   Delegation of authority to the Chief Information Officer (CIO) to ensure the design and\n          implementation of information security policies are consistent with OMB and NIST\n          guidance\n      \xe2\x80\xa2   Security awareness training programs\n      \xe2\x80\xa2   Periodic testing and evaluation of the effectiveness of security policies, procedures, and\n          practices, to be performed no less than annually\n      \xe2\x80\xa2   Processes to manage remedial actions for addressing deficiencies\n      \xe2\x80\xa2   Procedures for detecting, reporting, and responding to security incidents\n\n\n\n                                                   3\n\x0c                                                                                    CNCS FY 2013 FISMA Evaluation\n                                                                                           Final Report for FY 2013\n\n\n\n      \xe2\x80\xa2   Plans to ensure continuity of operations\n      \xe2\x80\xa2   Annual reporting on the adequacy and effectiveness of the Information Security Program\n          to OMB and Congress.\n\nOMB is responsible for reporting to Congress a summary of the results of an agency\xe2\x80\x99s\ncompliance with FISMA requirements. OMB also establishes executive policies with respect to\ninformation security. Its principal written statement of Government policy regarding information\nsecurity is OMB Circular No. A-130, Management of Federal Information Resources, Appendix\nIII, Security of Federal Automated Information Resources, dated November 28, 2000, which\nestablishes a minimum set of controls to be included in Federal automated Information Security\nPrograms. In particular, OMB Circular A-130, Appendix III defines adequate security as\nsecurity commensurate with the risk and magnitude of the harm resulting from loss, misuse, or\nunauthorized access to or modification of information. This includes assuring that systems and\napplications used by the agency operate effectively and provide appropriate confidentiality,\nintegrity, and availability, through the use of cost-effective management, personnel, operational,\nand technical controls.\n\nAdditionally, OMB has issued guidance related to information security with regard to Plans of\nActions and Milestones (POA&M) for addressing findings from security control assessments,\nsecurity impact analyses, and continuous monitoring activities. Per OMB Memorandum M-02-\n01, Guidance for Preparing and Submitting Security Plans of Actions and Milestones, POA&Ms\nprovide a roadmap for ensuring continuous agency security improvement, and assisting agency\nofficials with prioritizing corrective action and resource allocation.\n\n1.3       NIST Security Standards and Guidelines\n\nFISMA requires NIST to establish minimum standards and guidelines for Federal information\nsystems, and further requires Federal agencies to comply with Federal Information Processing\nStandards (FIPS) issued by NIST. These requirements cannot be waived. NIST also develops\nand issues SPs as recommendations and guidance documents.\n\nFIPS Publication (PUB) 200, Minimum Security Requirements for Federal Information and\nInformation Systems, mandates the use of NIST SP 800-53, Rev. 3 1, Recommended Security\nControls for Federal Information Systems and Organizations. NIST SP 800-53, Rev. 3 provides\nguidelines for selecting and specifying security controls for information systems. The security\ncontrols described in NIST SP 800-53 are organized into 18 functional \xe2\x80\x9cfamilies\xe2\x80\x9d that fall into\nthree broad classes\xe2\x80\x94technical, management, and operational 2\xe2\x80\x94shown in Table 1 below.\n\n\n\n1\n  NIST released its fourth revision of the SP on April 30, 2013.\n2\n  According to NIST SP 800-53, management controls are the security controls for an information system that focus\non the management of risk and information system security. Operational controls are the security controls for an\ninformation system that are primarily implemented and executed by people (as opposed to systems). Technical\ncontrols are the security controls for an information system that are primarily implemented and executed by the\ninformation system through mechanisms contained in the hardware, software, or firmware components of the\nsystem.\n\n\n                                                        4\n\x0c                                                                        CNCS FY 2013 FISMA Evaluation\n                                                                               Final Report for FY 2013\n\n\n\n                              Table 1: Security Control Families\n\n                  #    Security Control Family                  Control Class\n                  1    Access Control                           Technical\n                   2   Audit and Accountability                 Technical\n                   3   Identification and Authentication        Technical\n                   4   System and Communications Protection     Technical\n                   5   Security Assessment and Authorization    Management\n                   6   Planning                                 Management\n                   7   Risk Assessment                          Management\n                   8   System and Services Acquisition          Management\n                   9   Program Management                       Management\n                  10   Awareness and Training                   Operational\n                  11   Configuration Management                 Operational\n                  12   Contingency Planning                     Operational\n                  13   Incident Response                        Operational\n                  14   Maintenance                              Operational\n                  15   Media Protection                         Operational\n                  16   Physical and Environmental Protection    Operational\n                  17   Personnel Security                       Operational\n                  18   System and Information Integrity         Operational\n\nInformation systems are further categorized according to their importance to the agency\xe2\x80\x99s\nmission and the potential impact on the agency\xe2\x80\x99s operations, assets, or individuals of a loss of\nconfidentiality, integrity, and availability of the information system and data (see FIPS PUB 199,\nStandards for Security Categorization of Federal Information and Information Systems, and\nNIST SP 800-60, Volume 1: Guide for Mapping Types of Information and Information Systems\nto Security Categories). Of the Corporation\xe2\x80\x99s 10 information systems and sub-systems, six have\na \xe2\x80\x9cmoderate\xe2\x80\x9d security impact and four have a \xe2\x80\x9clow\xe2\x80\x9d security impact. Nine of the 10 information\nsystems are hosted and operated by other Government agencies or third party service providers.\n\n1.4    DHS\xe2\x80\x99s FISMA Responsibilities\n\nUnder the authority of OMB, DHS facilitates the annual reporting of the CIO Reporting Metrics,\nSenior Agency Official for Privacy Reporting Metrics, and OIG Reporting Metrics to Congress,\nutilizing an online tool called CyberScope. For OIGs to prepare their annual responses in\nCyberScope, DHS provides instructions in the FY 2013 IG FISMA Reporting Metrics, and\nrequires each agency OIG to respond to 11 FISMA metric questions. Appendix B contains the\nOIG\xe2\x80\x99s responses for the Corporation.\n\nKearney\xe2\x80\x99s evaluation of the effectiveness of the Corporation\xe2\x80\x99s Information Security Program\nfocused on compliance with FISMA legislative requirements, applicable OMB and NIST\nguidance, and the Corporation\xe2\x80\x99s own information security policies, procedures, and practices.\n\n\n\n\n                                                5\n\x0c                                                                         CNCS FY 2013 FISMA Evaluation\n                                                                                Final Report for FY 2013\n\n\n\n1.5       Scope\n\nThis independent evaluation was conducted during the period of June through October 2013.\nOur evaluation methodology met the Quality Standards for Inspection and Evaluation,\npromulgated by CIGIE, including inquiries, observations, and inspection of Corporation\ndocuments and records, as well as direct testing of controls. The FISMA evaluation included an\nassessment of the following:\n\n      \xe2\x80\xa2   Corporation Information Security Program activities\n      \xe2\x80\xa2   Management oversight of contractor-managed systems, including the Corporation\n          Network and My AmeriCorps Portal\n      \xe2\x80\xa2   FY 2013 OMB/DHS Reporting Metrics\n      \xe2\x80\xa2   Site visits to a Corporation State Office in Jackson, MS\n      \xe2\x80\xa2   Site visits to two National Civilian Community Corps (NCCC) locations (Perry Point,\n          MD and Vicksburg, MS).\n\n2.        SUMMARY RESULTS\n\nThis section provides the conclusions of our research, analysis, and assessment of the\nCorporation\xe2\x80\x99s Information Security Program, policies, and practices. Authoritative policies,\nstandards, and guidance are cited where applicable. As shown in Table 2 below, Kearney\nconcluded that management attention is needed for seven of the 11 areas of security controls.\n\n                            Table 2: Security Control Effectiveness\n\n      2013 DHS IG FISMA Reporting Area                      Security Control Effectiveness\n1. Continuous Monitoring Management                         Warrants Management Attention\n2. Configuration Management                                   Demonstrates Effectiveness\n3. Identity and Access Management                           Warrants Management Attention\n4. Incident Response and Reporting                            Demonstrates Effectiveness\n5. Risk Management                                          Warrants Management Attention\n6. Security Training                                        Warrants Management Attention\n7. POA&Ms                                                   Warrants Management Attention\n8. Remote Access Management                                 Warrants Management Attention\n9. Contingency Planning                                     Warrants Management Attention\n10. Contractor Systems                                        Demonstrates Effectiveness\n11. Security Capital Planning                                 Demonstrates Effectiveness\n\nIn some of these areas, the Corporation was actively working to address noted security\nweaknesses and documenting planned activities in POA&Ms. Where the Corporation was\nmaking sufficient progress, we did not report a separate finding; instead, we listed those areas in\nTable 2 above and in Appendix B. Thus, our report focuses on significant unaddressed security\ncontrol deficiencies grouped into six findings, as listed below in order of significance:\n\n      1. Lack of a formally documented and fully implemented Information Security Continuous\n         Monitoring (ISCM) strategy\n\n\n                                                6\n\x0c                                                                       CNCS FY 2013 FISMA Evaluation\n                                                                              Final Report for FY 2013\n\n\n\n   2. Lack of formally documented and fully implemented Risk Management Framework\n      (RMF)\n   3. Lack of a fully implemented a Role-Based Information Security Training Program\n   4. Improvements needed with POA&M reporting\n   5. Improvements needed to ensure that contractors comply with the Corporation\xe2\x80\x99s\n      Information Security Program requirements\n   6. Lack of two-factor authentication to the Corporation\xe2\x80\x99s desktops, laptops, and corporate\n      network.\n\nAddressing these security control deficiencies will assist the Corporation\xe2\x80\x99s ongoing efforts to\nassure adequate security over its information resources.           Our report includes nine\nrecommendations to further strengthen the Corporation\xe2\x80\x99s Information Security Program. At the\ntime of our evaluation, the Corporation had already taken steps toward strengthening controls in\nsome of these areas:\n\n   1. Document and fully implement an ISCM strategy\n   2. Document and fully implement a process for addressing risk at the organizational/mission\n      and business process levels throughout the organization\n   3. Clearly assign ownership and responsibilities for executing risk management processes at\n      the business/program level (Tier 2)\n   4. Ensure compliance with processes for monitoring security controls at the information\n      system level, and obtain formal approval and necessary waivers for departures from\n      corporate policy. Further, establish and communicate potential disciplinary actions for\n      noncompliance with the Corporation\xe2\x80\x99s security policies\n   5. Implement role-based security training for all users with significant information security\n      responsibilities and maintain documentation for the completion of training\n   6. Enhance the POA&M reporting/review process to include details of resources required\n      for remediation, and an explanation for any delays in implementing corrective actions\n   7. Strengthen the POA&M process to require individuals to reference evidence supporting\n      the closure of a POA&M item\n   8. Strengthen contractor oversight to ensure compliance with the Corporation\xe2\x80\x99s security\n      requirements by clearly assigning oversight responsibility and required activities for\n      Contracting Officers (CO), system owners, and supporting IT professionals\n   9. Research avenues to implement two-factor authentication, such as leveraging Federal\n      shared service providers to reduce upfront technology costs, lower per unit cost, and\n      adopt a gradual, phased-deployment strategy to overcome current budget constraints.\n\n\n\n\n                                               7\n\x0c                                                                          CNCS FY 2013 FISMA Evaluation\n                                                                                 Final Report for FY 2013\n\n\n\n3.       FINDINGS\n\n3.1      ISCM Strategy\n\nBackground:\nInformation Security Continuous Monitoring is\ndefined as maintaining ongoing awareness of\ninformation security, vulnerabilities, and threats to\nsupport organizational risk management decisions.\nAccording to NIST SP 800-137, Information Security\nContinuous Monitoring for Federal Information\nSystems and Organizations, effective ISCM begins\nwith development of a strategy that addresses ISCM\nrequirements and activities at each organizational tier\n(i.e., organization, mission/business process, and\ninformation system). Each tier monitors security\nmetrics and assesses security control effectiveness with\nestablished monitoring and assessment frequencies,\nand status reports customized to support tier-specific\ndecision-making.        NIST describes continuous\nmonitoring as a six step process, as depicted in Exhibit 1: ISCM Process.\n\nFinding #1: Lack of a Formally Documented and Fully Implemented ISCM Strategy\n(See Appendix B, related DHS Question #1: Continuous Monitoring Management)\n\nCondition:\nThe Corporation has not formally documented and implemented an organization-wide ISCM\nstrategy, as mandated by OMB guidance and required by four NIST SPs. The Corporation\xe2\x80\x99s\nInformation Assurance Program (IAP) provides for the continuous monitoring of information\nsystem (Tier 3) controls; however, the IAP does not define all processes supporting a continuous\nmonitoring program across the entire organization or define meaningful, reportable metrics for\nall business processes supporting the Corporation\xe2\x80\x99s mission.\n\nAn ISCM strategy consists of activities at three levels within an organization: Tier 1 \xe2\x80\x93\nOrganization, Tier 2 \xe2\x80\x93 Mission/Business Process, and Tier 3 \xe2\x80\x93 Information System. Such\nactivities should include the following:\n\n      1. Policy that defines key metrics\n      2. Policy for modifications to and maintenance of the monitoring strategy\n      3. Policies and procedures for the assessment of security control effectiveness (common,\n         hybrid, and system-level controls)\n      4. Policies and procedures for security status monitoring\n      5. Policies and procedures for security status reporting (on control effectiveness and status\n         monitoring)\n      6. Policies and procedures for assessing risks, and gaining threat information and insights\n      7. Policies and procedures for configuration management and security impact analysis\n\n\n\n                                                  8\n\x0c                                                                                 CNCS FY 2013 FISMA Evaluation\n                                                                                        Final Report for FY 2013\n\n\n\n    8. Policies and procedures for implementation and use of organization-wide tools\n    9. Policies and procedures for establishment of monitoring frequencies\n    10. Policies and procedures for determining sample sizes and populations, and managing\n        object sampling\n    11. Procedures for determining security metrics and data sources\n    12. Templates for assessing risks\n    13. Templates for security status reporting (on control effectiveness and status monitoring). 3\n\nCause:\nThe Corporation is currently in the process of revising procedural documentation and has not\nfully adopted the current guidance from NIST regarding continuous monitoring. According to\nthe Corporation\xe2\x80\x99s CIO, the Corporation has a strategy for continuous monitoring; this strategy is\nreflected in the Corporation\xe2\x80\x99s daily security practices. With a small team of security\nprofessionals, the CIO thought that the strategy was adequately communicated without\ndocumentation. Additionally, the impact of sequestration resulted in an approximate 12% IT\nbudget decrease and left fewer resources available for implementing information security\ninitiatives.\n\nCriteria:\nIn 2009, OMB and NIST acknowledged that the then-existing Government-wide approach of re-\nassessing all general support systems and major applications every three years, as required by\nOMB Circular A-130, Appendix III, did not address the dynamic nature of IT and the constantly\nchanging threat landscape to the organization, business/mission, and supporting information\nsystems. OMB and NIST therefore determined that agencies needed to develop near-real time\ncontinuous monitoring practices. OMB Memorandum M-12-20, FY 2012 Reporting Instructions\nfor the Federal Information Security Management Act and Agency Privacy Management,\nprovides specific guidance regarding continuous monitoring and risk management practices.\nOMB states in its Frequently Asked Questions:\n\n        # 29: Is a security reauthorization still required every 3 years or when an\n        information system has undergone significant change as stated in OMB Circular A-\n        130? No. Rather than enforcing a static, three-year reauthorization process, agencies are\n        expected to conduct ongoing authorizations of information systems through the\n        implementation of continuous monitoring programs. Continuous monitoring programs\n        thus fulfill the three-year security reauthorization requirement, so a separate re-\n        authorization process is not necessary. In an effort to implement a more dynamic, risk-\n        based security authorization process, agencies should follow the guidance in NIST\n        Special Publication 800-37. Agencies should develop and implement continuous\n        monitoring strategies for all information systems which address all security controls\n        implemented, including the frequency and degree of rigor associated with the monitoring\n        process. Continuous monitoring strategies should also include all common controls\n        inherited by organizational information systems. Continuous monitoring strategies\n        should be developed in accordance with NIST SP 800-137, Information Security\n        Continuous Monitoring for Federal Information Systems and Organizations, and\n3\n NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and\nOrganizations, Section 3.1, \xe2\x80\x9cDefine ISCM Strategy.\xe2\x80\x9d\n\n\n                                                     9\n\x0c                                                                          CNCS FY 2013 FISMA Evaluation\n                                                                                 Final Report for FY 2013\n\n\n\n        approved by appropriate authorizing officials. Agency officials should monitor the\n        security state of their information systems on an ongoing basis with a frequency\n        sufficient to make ongoing risk-based decisions on whether to continue to operate the\n        systems within their organizations. Continuous monitoring programs and strategies\n        should address: (i) establishment of metrics to be monitored; (ii) establishment off\n        frequencies for monitoring/assessments; (iii) ongoing security control assessments to\n        determine the effectiveness of deployed security controls; (iv) ongoing security status\n        monitoring; (v) correlation and analysis of security-related information generated by\n        assessments and monitoring; (vi) response actions to address the results of the analysis;\n        and (vii) reporting the security status of the organization and information system to senior\n        management officials consistent with guidance in NIST SP 800-137.\n\nNIST provides specific guidance to Federal agencies for implementing a continuous monitoring\nprogram in four key NIST SPs, listed below in order of precedence:\n\n    \xe2\x80\xa2   NIST SP 800-53, Rev. 3, Recommended Security Controls for Federal Information\n        Systems and Organizations, August 2009. Please refer to required Security Control CA-\n        7, \xe2\x80\x9cContinuous Monitoring\xe2\x80\x9d; and related Security Controls RA-2, \xe2\x80\x9cSecurity\n        Categorization\xe2\x80\x9d; CA-2, \xe2\x80\x9cSecurity Assessment\xe2\x80\x9d; and CA-6, \xe2\x80\x9cSecurity Authorization\xe2\x80\x9d\n    \xe2\x80\xa2   NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to\n        Federal Information Systems: A Security Life Cycle Approach, February 2010. This SP\n        discusses the NIST RMF, which comprises six steps that provide a structured practice for\n        incorporating information security and risk management activities into the system\n        development lifecycle\n    \xe2\x80\xa2   NIST SP 800-39, Managing Information Security Risk, March 2011. This SP provides\n        guidelines for developing an ISCM strategy and implementing an ISCM program\n    \xe2\x80\xa2   NIST SP 800-137, Information Security Continuous Monitoring for Federal Information\n        Systems and Organizations, September 2011. This SP describes the fundamentals of\n        ongoing monitoring in support of risk management.\n\nEffect:\nFailure to implement a comprehensive ISCM strategy weakens of the internal control\nenvironment and increases the risk that inappropriate or unusual activity could go undetected,\npossibly allowing fraud or unauthorized transactions. The Corporation is working to mitigate\nthis risk by adopting more recent NIST guidance and practices; however, these practices were\nnot fully implemented during FY 2013.\n\nThe bottom line is that the lack of a comprehensive and documented strategy leaves the\nCorporation with important gaps in its IT security monitoring, such as its oversight of contractor\noperated information systems. An ISCM strategy is a critical first step in identifying and\nrectifying these and other gaps and ensuring that sensitive systems and information are secure.\n\n\n\n\n                                                 10\n\x0c                                                                          CNCS FY 2013 FISMA Evaluation\n                                                                                 Final Report for FY 2013\n\n\n\nRecommendation:\nKearney recommends that the Corporation:\n\n      1. Document and fully implement an ISCM strategy that incorporates the following:\n         a. Establishment of metrics to be monitored\n         b. Establishment of frequencies for monitoring/assessments\n         c. Ongoing security control assessments to determine the effectiveness of deployed\n            security controls\n         d. Ongoing security status monitoring\n         e. Correlation and analysis of security-related information generated by assessments and\n            monitoring\n         f. Response actions to address the results of the analysis\n         g. Reporting of the security status of the organization and information system to senior\n            management officials consistent with guidance in NIST SP 800-137.\n\n3.2       Risk Management\n\nBackground:\nTitle III of the E-Gov, entitled FISMA, emphasizes the need for organizations to develop,\ndocument, and implement an organization-wide program to provide security for the information\nsystems that support its operations and assets.\n\nManaging risk is a complex, multifaceted activity that requires the involvement of the entire\norganization\xe2\x80\x94from senior leaders/executives providing the strategic vision, and top-level goals\nand objectives for the organization; to mid-level leaders planning, executing, and managing\nprojects; to individuals on the \xe2\x80\x9cfront lines\xe2\x80\x9d operating the information systems supporting the\norganization\xe2\x80\x99s missions/business functions. NIST defines the key elements for effectively\nmanaging information security risk organization-wide as follows:\n\n      \xe2\x80\xa2   Assignment of risk management responsibilities to senior leaders/executives\n      \xe2\x80\xa2   Ongoing recognition and understanding by senior leaders/executives of the information\n          security risks to organizational operations and assets, individuals, other organizations,\n          and the nation arising from the operation and use of information systems\n      \xe2\x80\xa2   Establishing the organizational tolerance for risk and communicating that risk tolerance\n          throughout the organization, including guidance on how risk tolerance impacts ongoing\n          decision-making activities\n      \xe2\x80\xa2   Accountability by senior leaders/executives for their risk management decisions, and for\n          the implementation of effective, organization-wide risk management programs\n      \xe2\x80\xa2   Understanding the organizational missions and business functions, and the relationships\n          among missions/business functions and supporting processes.\n\nIn an era of constrained budgets, Federal agencies are increasingly integrating and consolidating\nvarious internal control and risk management activities to reduce duplication of effort. To gain\nefficiencies, several Federal agencies are centralizing responsibilities for conducting OMB\nCircular A-123 internal control assessments along with required FISMA risk management and\nsecurity assessment activities under a central program office for internal controls. In another\n\n\n\n                                                 11\n\x0c                                                                         CNCS FY 2013 FISMA Evaluation\n                                                                                Final Report for FY 2013\n\n\n\nexample, a Federal agency reorganized management responsibilities to make a single Chief\nSecurity Officer responsible for information security, physical security, personnel security (i.e.,\nbackground checks), and risk management activities. These examples reflect how different\nagencies are addressing multiple OMB mandates for stronger internal controls and improved risk\nmanagement practices.\n\nRisk management can be viewed as a \xe2\x80\x9cholistic\xe2\x80\x9d activity that is fully integrated into every aspect\nof the organization. NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management\nFramework to Federal Information Systems, Section 2.1, \xe2\x80\x9cIntegrated Organization-Wide Risk\nManagement,\xe2\x80\x9d illustrates a three-tiered approach to risk management that addresses risk-related\nconcerns at the organization level, the mission and business process level, and the information\nsystem level.\n\n\n\n\nTier 1 addresses risk from an organizational perspective with the development of a\ncomprehensive governance structure and organization-wide risk management strategy that\nincludes the following:\n\n   \xe2\x80\xa2   Techniques and methodologies the organization plans to employ to assess information\n       system-related security risks and other types of risk of concern to the organization\n   \xe2\x80\xa2   Methods and procedures the organization plans to use to evaluate the significance of the\n       risks identified during the risk assessment\n   \xe2\x80\xa2   Types and extent of risk mitigation measures the organization plans to employ to address\n       identified risks\n   \xe2\x80\xa2   Level of risk the organization plans to accept (i.e., risk tolerance)\n   \xe2\x80\xa2   How the organization plans to monitor risk on an ongoing basis, given the inevitable\n       changes to organizational information systems and their environments of operation\n   \xe2\x80\xa2   Degree and type of oversight the organization plans to use to ensure that the risk\n       management strategy is being effectively carried out.\n\nTier 2 addresses risk from a mission and business process perspective, and is guided by the risk\ndecisions at Tier 1. Tier 2 activities are closely associated with enterprise architecture and\ninclude the following:\n\n\n\n\n                                                12\n\x0c                                                                        CNCS FY 2013 FISMA Evaluation\n                                                                               Final Report for FY 2013\n\n\n\n   \xe2\x80\xa2   Defining the core missions and business processes for the organization (including any\n       derivative or related missions and business processes carried out by subordinate\n       organizations)\n   \xe2\x80\xa2   Prioritizing missions and business processes with respect to the goals and objectives of\n       the organization\n   \xe2\x80\xa2   Defining the types of information that the organization needs to successfully execute the\n       stated missions and business processes, and the information flows both internal and\n       external to the organization\n   \xe2\x80\xa2   Developing an organization-wide information protection strategy and incorporating high-\n       level information security requirements into the core missions and business processes\n   \xe2\x80\xa2   Specifying the degree of autonomy for subordinate organizations (i.e., organizations\n       within the parent organization) that the parent organization permits for assessing,\n       evaluating, mitigating, accepting, and monitoring risk.\n\nTier 3 addresses risk from an information system perspective and is guided by the risk decisions\nat Tiers 1 and 2. Tier 3 risk management activities include the following:\n\n   \xe2\x80\xa2   Categorizing organizational information systems\n   \xe2\x80\xa2   Allocating security controls to organizational information systems and the environments\n       in which those systems operate consistent with the organization\xe2\x80\x99s established enterprise\n       architecture and embedded information security architecture\n   \xe2\x80\xa2   Managing the selection, implementation, assessment, authorization, and ongoing\n       monitoring of allocated security controls as part of a disciplined and structured system\n       development lifecycle process implemented across the organization.\n\nRisk decisions at Tiers 1 and 2 impact the ultimate selection and deployment of needed\nsafeguards and countermeasures (i.e., security controls) at the information system level.\nInformation security requirements are satisfied by the selection of appropriate management,\noperational, and technical security controls from NIST SP 800-53.\n\nFinding #2: Lack of Formally Documented and Fully Implemented RMF\n(See Appendix B, related DHS Question #5: Risk Management)\n\nCondition:\nThe Corporation\xe2\x80\x99s risk management program addresses risk mainly at the information system\n(Tier 3) level. Policy and documented processes for system-level assessments were substantially\ncompliant with requirements; however, Kearney noted the following:\n\n   \xe2\x80\xa2   The Corporation lacks an organization-wide risk assessment that considers risks\n       across the organization, including Tier 2 activities/business processes carried out by\n       field offices\n   \xe2\x80\xa2   The Corporation did not annually assess the security controls or risks of its\n       Electronic System for Programs, Agreements, and National Service (eSPAN)\n       application.\n\n\n\n\n                                               13\n\x0c                                                                                  CNCS FY 2013 FISMA Evaluation\n                                                                                         Final Report for FY 2013\n\n\n\nCause:\nThe Corporation has not yet completed revisions to its information security procedures to\ncomply with the current guidance from NIST. Additionally, the impact of sequestration resulted\nin an approximate 12% IT budget decrease and left fewer resources available for implementing\ninformation security initiatives. Further, discussions with the Corporation\xe2\x80\x99s CIO 4/Risk\nExecutive expressed the view that, as a \xe2\x80\x9csmall agency,\xe2\x80\x9d the Corporation does not need to adopt\nand/or document formal risk management strategies, as these decisions are reflected in corporate\nsecurity policies. The CIO/Risk Executive also commented that the distinction between internal\ncontrols and information security controls at the business/program level (Tier 2) are unclear.\nLacking this clarity, the CIO/Risk Executive indicated that ultimate responsibility and ownership\nof risk at the business/program level was not well defined; thus, risk management activities\nfocused on the business/program level did not occur.\n\nAdditionally, the Corporation\xe2\x80\x99s risk management program does not have a mature process for\naddressing risk from an organizational perspective, or an established process for monitoring\nselected security controls for information systems. Specific to the eSPAN observation and lack\nof a recent security assessment, management indicated that the eSPAN application was being\nupgraded over several years and delayed a comprehensive security assessment until the upgrade\nwas complete to minimize security assessment costs. Such an approach, while perhaps cost-\neffective, does not comply with OMB Memoranda and NIST security guidance.\n\nCriteria:\nNIST SP 800-39, Managing Information Security Risk, Organization, Mission, and Information\nSystem View, states:\n\n        Tier 1 addresses risk from an organizational perspective by establishing and\n        implementing governance structures that are consistent with the strategic goals and\n        objectives of organizations and the requirements defined by federal laws, directives,\n        policies, regulations, standards, and missions/business functions. Governance structures\n        provide oversight for the risk management activities conducted by organizations and\n        include: (i) the establishment and implementation of a risk executive (function); (ii) the\n        establishment of the organization\xe2\x80\x99s risk management strategy including the determination\n        of risk tolerance; and (iii) the development and execution of organization-wide\n        investment strategies for information resources and information security. governance is\n        the set of responsibilities and practices exercised by those responsible for an organization\n        (e.g., the board of directors and executive management in a corporation, the head of a\n        federal agency) with the express goal of: (i) providing strategic direction; (ii) ensuring\n        that organizational mission and business objectives are achieved; (iii) ascertaining that\n        risks are managed appropriately; and (iv) verifying that the organization\xe2\x80\x99s resources are\n        used responsibly.\n\n        Tier 2 addresses risk from a mission and business process perspective and is guided by\n        the risk decisions at Tier 1. The risk management activities at Tier 2 begin with the\n        identification and establishment of risk-aware mission/business processes to support the\n4\n The Corporation\xe2\x80\x99s CIO also holds the role of Risk Executive, as defined in NIST SP 800-39, Managing\nInformation Security Risk, Organization, Mission, and Information System View.\n\n\n                                                      14\n\x0c                                                                          CNCS FY 2013 FISMA Evaluation\n                                                                                 Final Report for FY 2013\n\n\n\n         organizational missions and business functions.                 Implementing risk-aware\n         mission/business processes requires a thorough understanding of the organizational\n         missions and business functions and the relationships among missions/business functions\n         and supporting processes. Tier 2 activities are closely associated with enterprise\n         architecture and include: (i) defining the core missions and business processes for the\n         organization (including any derivative or related missions and business processes carried\n         out by subordinate organizations); (ii) prioritizing missions and business processes with\n         respect to the goals and objectives of the organization; (iii) defining the types of\n         information that the organization needs to successfully execute the stated missions and\n         business processes and the information flows both internal and external to the\n         organization; (iv) developing an organization-wide information protection strategy and\n         incorporating high-level information security requirements18 into the core missions and\n         business processes; and (v) specifying the degree of autonomy for subordinate\n         organizations (i.e., organizations within the parent organization) that the parent\n         organization permits for assessing, evaluating, mitigating, accepting, and monitoring risk.\n\nEffect:\nAn incomplete or out-of-date risk management program could leave the Corporation\xe2\x80\x99s\nmanagement unaware of information security risks affecting the organization and its systems.\nWithout this knowledge, management may not take sufficient actions to reduce risk to the\nCorporation\xe2\x80\x99s programs.\n\nRecommendations:\nKearney recommends that the Corporation:\n\n      2. Document and fully implement a process for addressing and capturing risk at the\n         organizational/mission and business process levels throughout the organization\n      3. Clearly assign ownership and responsibilities for executing risk management processes at\n         the business/program level (Tier 2)\n      4. Ensure compliance with processes for monitoring security controls at the information\n         system level (i.e., Tier 3), and obtain formal approval and necessary waivers for\n         departures from Corporation policy. Further, establish and communicate potential\n         disciplinary actions for noncompliance with the Corporation\xe2\x80\x99s security policies.\n\n3.3      Security Awareness and Training\n\nBackground:\nWorldwide, some of the most effective attacks on cyber networks currently are directed at\nexploiting user behavior. As cited in audit reports, periodicals, and conference presentations, it\nis generally understood by the IT security professional community that people are one of the\nweakest links in attempts to secure systems and networks. These threats are especially effective\nwhen directed at those with elevated network privileges and/or other cyber responsibilities.\nTraining users (privileged and unprivileged) and those with access to other pertinent information\nand media is a necessary deterrent to these methods. Therefore, organizations are expected to\nuse risk-based analysis to determine the correct amount, content, and frequency of updates to\nachieve adequate security in the area of influencing these behaviors that affect cyber security.\n\n\n\n                                                 15\n\x0c                                                                         CNCS FY 2013 FISMA Evaluation\n                                                                                Final Report for FY 2013\n\n\n\nFISMA not only requires organizations to ensure all users of information and information\nsystems are aware of their information security responsibilities (Security Awareness and\nTraining Program), but also requires departments and agencies to identify and train those users\nwith significant responsibilities for information security (Role-based Training). Federal agencies\nand organizations cannot protect the confidentiality, integrity, and availability of information in\ntoday\xe2\x80\x99s highly networked systems environment without ensuring that all people involved in\nusing and managing IT:\n\n   \xe2\x80\xa2   Understand their roles and responsibilities related to the organization\xe2\x80\x99s mission\n   \xe2\x80\xa2   Understand the organization\xe2\x80\x99s IT security policies, procedures, and practices\n   \xe2\x80\xa2   Have at least adequate knowledge of the various management, operational, and technical\n       controls required and available to protect the IT resources for which they are responsible.\n\nFinding #3: Lack of a Fully Implemented of a Role-based Information Security Training\nProgram\n(See Appendix B, related DHS Question #6: Security Training)\n\nCondition:\nAlthough the FISMA legislation, OMB, and NIST require role-based security training for\nindividuals with significant information security responsibilities, the Corporation has not\ndocumented and implemented a comprehensive role-based security program. Certain role-based\nsecurity training modules have been developed, but have not yet been approved and disseminated\nthroughout the Corporation.\n\nCause:\nThe role-based security training module has been developed by IT staff, but has not been\nformally approved and deployed throughout the Corporation. The Information Assurance Team\nstated that budget constraints and emergency IT priorities have contributed to the delay. The\nCorporation expects role-based security training to be implemented in December 2013. The\nCorporation\xe2\x80\x99s CIO also indicated that Corporation provides one-on-one training to individuals\nwith significant information security responsibility when they assume a new role; however, the\nCorporation does not maintain evidence of this training.\n\nCriteria:\nNIST SP 800-50, Building an Information Technology Security Awareness and Training\nProgram, cites that a successful IT security program consists of:\n\n   1. Developing IT security policy that reflects business needs tempered by known risks\n   2. Informing users of their IT security responsibilities, as documented in agency security\n      policies and procedures\n   3. Establishing processes for monitoring and reviewing the program.\n\nNIST SP 800-53, Rev. 3, Recommended Security Controls for Federal Information Systems and\nOrganizations, Section AT-3, \xe2\x80\x9cSecurity Training,\xe2\x80\x9d states:\n\n\n\n\n                                                16\n\x0c                                                                        CNCS FY 2013 FISMA Evaluation\n                                                                               Final Report for FY 2013\n\n\n\n       Control: The organization provides role-based security-related training: (i) before\n       authorizing access to the system or performing assigned duties; (ii) when required by\n       system changes; and (iii) [Assignment: organization-defined frequency] thereafter.\n\n       Supplemental Guidance: The organization determines the appropriate content of\n       security training based on assigned roles and responsibilities and the specific\n       requirements of the organization and the information systems to which personnel have\n       authorized access. In addition, the organization provides information system managers,\n       system and network administrators, personnel performing independent verification and\n       validation activities, security control assessors, and other personnel having access to\n       system-level software, adequate security-related technical training to perform their\n       assigned duties. Organizational security training addresses management, operational, and\n       technical roles and responsibilities covering physical, personnel, and technical safeguards\n       and countermeasures. The organization also provides the training necessary for these\n       individuals to carry out their responsibilities related to operations security within the\n       context of the organization\xe2\x80\x99s information security program.\n\nThe Corporation\xe2\x80\x99s Information Assurance Program, Section 3.2, \xe2\x80\x9cIA Awareness & Training,\xe2\x80\x9d\nincludes the following requirements:\n\n                          Table 3: Security Training Requirements\n\n                                                                       Training       Required\n  Type                Objective                     Frequency\n                                                                       Provider      Participation\n                                  Program-Level Training\n Security Promote understanding of       1) Annually                     CISO               All\n Training information security and       2) When changes are\n          privacy policies               made to policies\n Security Basic understanding of how 1) Annually                         CISO               All\nAwareness to respond to risk\n Security Carry out information          1) Initial training             CISO         Individuals\n  Role-   assurance risk management 2) Annually                                      with Program-\n  Based   roles at the program level                                                 Level Security\n Training                                                                                Roles\n                              System Specific-Level Training\n System   Understanding of system        1) Initial training (before      ISO               All\n Specific specific security and privacy access to systems or\n Security procedures (e.g., Rules of     information)\n Training Behavior)                      2) When changes are\n                                         made to procedures\n                                         3) Annually\n Security Provides security-related      1) Initial training (before      ISO          Individuals\n  Role-   training specifically tailored performing duties)                           with Security\n  Based   for their assigned duties at   2) Policy is changed                             Roles\n Training the system level (e.g.,        3) Annually\n          incident response training)\n\n\n                                               17\n\x0c                                                                           CNCS FY 2013 FISMA Evaluation\n                                                                                  Final Report for FY 2013\n\n\n\nEffect:\nA strong IT security program cannot be implemented without significant attention given to\ntraining agency IT users on security policies, procedures, and techniques, as well as the various\nmanagement, operational, and technical controls necessary and available to secure IT resources.\nIn addition, those in the agency who manage the IT infrastructure need to have the necessary\nskills to carry out their assigned duties effectively. Failure to give attention to security training\nputs an enterprise at great risk because security of agency resources is as much a human issue as\nit is a technology issue. Without specific training, a user may not know all of his/her information\nsecurity responsibilities under the Corporation\xe2\x80\x99s policies and may be more vulnerable to cyber-\nattacks. Additionally, without regular training, individuals with significant information security\nresponsibilities may not keep abreast of new OMB and NIST guidance.\n\nRecommendation:\nKearney recommends that the Corporation:\n\n      5. Implement role-based security training for all users with significant information security\n         responsibilities and maintain documentation for the completion of training.\n\n3.4       Evaluation of Agency POA&M Process\n\nBackground:\nOMB Memorandum M-02-01, Guidance for Preparing and Submitting Security Plans of Actions\nand Milestones, requires agencies to identify and report on deficiencies in their Information\nSecurity Program. A POA&M is a tool that identifies tasks that need to be accomplished. It\ndetails the required resources, milestones towards meeting the task, and scheduled completion\ndates for the milestones. The purpose of this POA&M is to assist agencies in identifying,\nassessing, prioritizing, and monitoring the progress of corrective efforts for security weaknesses\nfound in programs and systems.\n\nFinding #4: Improvements Needed to POA&M Reporting\n(See Appendix B, related DHS Question #7: Plan of Actions and Milestones)\n\nCondition:\nKearney identified the following procedural weaknesses with the Corporation\xe2\x80\x99s management of\nPOA&Ms:\n\n      \xe2\x80\xa2   POA&Ms did not clearly identify resources (labor hours and/or costs) required to resolve\n          open tasks\n      \xe2\x80\xa2   Supporting evidence for closing open POA&Ms was not consistently referenced and\n          maintained in the Corporation\xe2\x80\x99s POA&M tracker.\n\nCause:\nThe Corporation\xe2\x80\x99s CIO indicated that when security weaknesses are identified and POA&Ms\ncreated, the Corporation opens a Change Request. The Corporation utilizes the Change Request\nto track priorities and resources necessary for closing the POA&M item. The Corporation\xe2\x80\x99s\nprior POA&M process did not record the associated Change Request number with the POA&M\n\n\n\n                                                 18\n\x0c                                                                          CNCS FY 2013 FISMA Evaluation\n                                                                                 Final Report for FY 2013\n\n\n\nitem. Additionally, the POA&M closure process did not require the participants to maintain\nevidence of closure.\n\nCriteria:\nAccording to OMB Memorandum M-02-01, Guidance for Preparing and Submitting Security\nPlans of Actions and Milestones:\n\n        POA&Ms should contain, at minimum, (i) the stated weakness, (ii) the point of contact\n        for the POA&M, (iii) the resources required to complete the POA&M, (iv) the scheduled\n        date of completion, (v) the identified milestones complete with anticipated dates of\n        completion, (vi) changes to the milestones, (vii) the source of the weakness, and (viii) the\n        status of the POA&M. POA&Ms not only create a way to track and remediate\n        weaknesses, but can be a valuable tool to communicate resource needs to Agency\n        leadership and should be integrated with the annual budget process when significant\n        investments are required.\n\nEffect:\nWithout clearly identifying resources needed to plan for and remediate identified security\nweaknesses, the Corporation may not adequately budget and identify resources required to\nremediate identified vulnerabilities. Further, POA&M closures may not be adequately supported\nand reviewed, resulting in potential vulnerabilities.\n\nRecommendations:\n\nKearney recommends that the Corporation:\n\n      6. Enhance the POA&M process to identify resources required for remediation either in the\n         POA&M item or associated change request ticket\n      7. Strengthen the POA&M process to require individuals to reference evidence supporting\n         the closure of a POA&M item.\n\n3.5     Evaluation of Contractor Oversight\n\nBackground:\nFISMA and OMB policy require external providers handling Federal information or operating\ninformation systems on behalf of the Federal Government to meet the security requirements\napplicable to Federal agencies. Requirements for external providers, which include security\ncontrols for processing, storing, or transmitting Federal information, must be expressed in\ncontracts or similar formal agreements. Organizations can require external providers to\nimplement all steps in the RMF, with the exception of the security authorization step. A Federal\nagency that chooses to outsource IT services remains ultimately responsible for ensuring\nappropriate security.\n\nFISMA also requires Federal agencies to provide appropriate protection of their resources\nthrough implementing a comprehensive Information Security Program that is commensurate with\nthe sensitivity of the information being processed, transmitted, and stored by agency information\n\n\n\n                                                 19\n\x0c                                                                            CNCS FY 2013 FISMA Evaluation\n                                                                                   Final Report for FY 2013\n\n\n\nsystems. An institutionalized information security performance measurement program enables\nagencies to collect and report on relevant FISMA performance indicators.\n\nFinding #5: Improvements Needed to Ensure that Contractors Comply with the\nCorporation\xe2\x80\x99s Information Security Program Requirements\n(See Appendix B, related DHS Question #10: Contractor Systems)\n\nCondition:\nAlthough the Corporation has defined general responsibilities for its COs, system owners, and IT\nsupport professionals to monitor its IT contractors, the Corporation does not have systems or\nprocesses in place to ensure that its employees actually provide the necessary oversight to\nconfirm that contractors implement mandated security controls. Corporation guidance expressly\nrequires the Corporation to ensure contractors, grantees, and other parties that operate\ninformation systems for the Corporation or handle data on the Corporation\xe2\x80\x99s behalf adhere to\nFISMA, OMB requirements, and the Corporation\xe2\x80\x99s information security and privacy policies.\nTable 4 on the following page summarizes the applicable oversight responsibilities, as detailed\nby the previous Corporation\xe2\x80\x99s Chief Information Security Officer (CISO).\n\n                           Table 4: Oversight Procedures Summary\n\n                         OVERSIGHT PROCEDURES SUMMARY TABLE\n                                                                     Supporting      Task Completion\n            Task                 Primary Responsibility\n                                                                        Roles         or Report Date\n        IT Inventory      Information System Owner, Information    Project/Program        Prior to\n        Registration       Owner, or the individual initiating the    Manager,        Implementation\n                               procurement of the IT service           Service\n                                                                       Provider\n     FISMA Language/      Information System Owner, Information    Project/Program    Development of\n      Memorandum of        Owner, or the individual initiating the    Manager            the Service\n       Understanding           procurement of the IT service                             Agreement\n    Preliminary Privacy   Information System Owner, Information    Project/Program   Prior to Collecting\n    Impact Assessments     Owner, or the individual initiating the    Manager,          Information\n                               procurement of the IT service           Service\n                                                                       Provider\n      Certification and   Information System Owner, Information        Service         Prior to System\n       Accreditation        Owner, or Project/ Program Manager         Provider          Activation\n  Update System Security  Information System Owner, Information        Service            April 15th\n            Plan            Owner, or Project/ Program Manager         Provider          (Annually)\n  Continuous Monitoring   Information System Owner, Information        Service            April 15th\n                            Owner, or Project/ Program Manager         Provider          (Annually)\n     Contingency Plan     Information System Owner, Information        Service            April 15th\n           Testing          Owner, or Project/ Program Manager         Provider          (Annually)\n  Security and Awareness  Information System Owner, Information        Service            April 15th\n          Training          Owner, or Project/ Program Manager         Provider          (Annually)\n          POA&M           Information System Owner, Information        Service          As Required\n                            Owner, or Project/ Program Manager         Provider\n      Privacy/Security    Information System Owner, Information        Service        Upon Discovery\n          Incidents         Owner, or Project/ Program Manager         Provider        or Detection\n\n\n\n\n                                                 20\n\x0c                                                                            CNCS FY 2013 FISMA Evaluation\n                                                                                   Final Report for FY 2013\n\n\n\nAfter reviewing IT contracts for the Corporation\xe2\x80\x99s Managed Data Center Services (MDCS)\nprovider (SRA), its data center provider (Savvis), and support services contracts for the\neSPAN/MyAmeriCorps portal (enGenius and Planned Systems International), together with the\nprocedures setting forth the relevant oversight activities, Kearney determined that the\nCorporation\xe2\x80\x99s process does not describe in sufficient detail the steps and evaluation criteria\nnecessary for review of security assessment documentation (i.e., updated System Security Plan,\nContinuous Monitoring Plan, Contingency Plan test results, or updated POA&M) and security\nperformance measures required from its IT contractors. Further, the IT contracts appeared to use\na generic list of security requirements, but did not specify the security controls or a tailored set of\nsecurity controls relevant to those contracted IT services. In addition, the IT contracts did not\ndefine information security goals and objectives, performance measures, and technical\ncompliance requirements for measuring performance effectiveness, efficiency, or frequency of\ncontrol execution.\n\nCause:\nThe Corporation\xe2\x80\x99s management acknowledged that the Corporation was not following the\noversight procedures described by its own documentation, in part because the procedures were\nnot communicated to Corporation personnel charged with responsibility. Further, while the use\nof a generic list of security requirements may have been intended to promote consistency and\nshift the burden of compliance to the contractor, it was confusing and counterproductive because\nneither the Corporation nor contractor personnel understood clearly which of the 240+ NIST\nsecurity controls, Corporation-specific requirements, and policies were relevant to each service\ncontract; how oversight would be implemented; and how contractor compliance would be\nmeasured. The Corporation\xe2\x80\x99s management also expressed the view that they conducted\noversight of its IT contractors and their security controls throughout the year, but did not\nconsistently maintain evidence of this oversight for all IT contracts and conduct it according to\nthe due dates listed in Table 4 above.\n\nCriteria:\nNIST SP 800-53, Rev. 3, Recommended Security Controls for Federal Information Systems and\nOrganizations, Section SA-9, \xe2\x80\x9cExternal Information System Services,\xe2\x80\x9d states:\n\n       Control: The organization:\n          a. Requires that providers of external information system services comply with\n              organizational information security requirements and employ appropriate security\n              controls in accordance with applicable federal laws, Executive Orders, directives,\n              policies, regulations, standards, and guidance;\n          b. Defines and documents government oversight and user roles and responsibilities\n              with regard to external information system services; and\n          c. Monitors security control compliance by external service providers.\n\n\n\n\n                                                  21\n\x0c                                                                           CNCS FY 2013 FISMA Evaluation\n                                                                                  Final Report for FY 2013\n\n\n\nNIST SP 800-35, Guide to Information Technology Security Services, dated October 2003,\nstates:\n\n        4.5.1 Monitor Service Provider Performance:\n\n        The operational phase is similar to the assessment phase. The data collected during the\n        assessment phase should be used to capture the performance level of this new service\n        provider. During the operations phase, the desired future arrangement becomes the\n        current arrangement.\n\n        The targets set forth in the service agreement should be compared with the metrics\n        gathered. Although metrics will provide service-level targets, the organization may also\n        want to use end user evaluations or customer satisfaction level surveys to evaluate\n        performance. The IT security managers will have to work with other operational\n        managers (such as customer service managers) to ensure that the service provider is\n        meeting service targets. The IT security managers also need to ensure service providers\n        are complying with IT security policy and processes, as well as applicable laws and\n        regulations. IT security managers must ensure during the operations phase that the\n        service provider does not compromise private, confidential, personal, or mission-sensitive\n        data. Compliance reports will help with this effort. The service agreement should have\n        included clauses that specify penalties and/or remedies for noncompliance and\n        management should employ these when the service provider does not perform as the\n        contract dictates.\n\nEffect:\nWithout formal monitoring processes and clearly assigned responsibilities for monitoring\ncontractor performance, weaknesses in the security controls implemented by the Corporation\xe2\x80\x99s\ncontractors may not be detected, potentially resulting in significant errors and irregularities. This\nmay place the Corporation\xe2\x80\x99s data at risk.\n\nRecommendation:\nKearney recommends that the Corporation:\n\n      8. Strengthen contractor oversight to ensure compliance with the Corporation\xe2\x80\x99s security\n         requirements by clearly assigning oversight responsibility and required activities for\n         COs, system owners, and supporting IT professionals.\n\n3.6     Identity and Access Management Controls\n\nBackground:\nThe key goal of identity and access management is to limit access to those individuals or\nprocesses that require use of otherwise restricted information. Identity and access management\ncontrols work together to affirm the logical identity of a user, process, or application, and\nappropriately control access to computer resources (e.g., data, equipment, facilities), thereby\nprotecting them from unauthorized modification, loss, and disclosure. Identity controls are\n\n\n\n\n                                                 22\n\x0c                                                                                  CNCS FY 2013 FISMA Evaluation\n                                                                                         Final Report for FY 2013\n\n\n\nimplemented using authentication factors such as an account ID, password, physical token,\nfingerprint, or Personal Identity Verification (PIV) card.\n\nGiven the rise in sophisticated malware that steals account IDs and passwords, OMB and DHS\nhave mandated that Federal agencies strengthen identity and access management controls to\nthwart such attacks by using multi-factor authentication. According to OMB and DHS, \xe2\x80\x9cA\nsingle-factor authentication mechanism, such as a username and password, is insufficient to\nblock even basic attackers.\xe2\x80\x9d 5 Thus, strong information system authentication requires multiple\nfactors to securely authenticate a user. Secure authentication requires something you have,\nsomething you are, and something you know. The President signed the implementation of\nHomeland Security Presidential Directive (HSPD)-12, Policy for a Common Identification\nStandard for Federal Employees and Contractors, on August 27, 2004. This Presidential\nDirective requires all Federal agencies to use a standard badge for both physical and logical\naccess. DHS indicated in its 2013 CIO and IG FISMA Reporting Metrics that the\nimplementation of HSPD-12/PIV card is an \xe2\x80\x9cAdministration Priority,\xe2\x80\x9d with two-factor\nauthentication to be implemented Government-wide using PIV cards.\n\nTo manage the costs of implementing two-factor authentication for agency desktops and laptops,\nmany Federal agencies are gradually implementing two-factor authentication as part of their\ndesktop replacement cycle and migration from the Windows XP to Windows 7 operating system.\nSmaller Federal agencies are also leveraging Federal shared service providers and their\ntechnology infrastructure to significantly reduce the upfront costs of implementing two-factor\nauthentication with PIV credentials. NIST states that small agencies may join with other\nagencies (and are encouraged to do so when cost-effective) to implement and use FIPS PUB 201\ncompliant 6 components and systems.\n\nFinding #6: Lack of Two-factor Authentication to the Corporation\xe2\x80\x99s Desktops, Laptops,\nand Corporate Network\n(See Appendix B, related DHS Question #3: Identity and Access Management)\n\nCondition:\nThe Corporation\xe2\x80\x99s laptops and desktops have not been configured to use PIV credentials for both\nphysical and logical access control, as required by OMB Memoranda and NIST security\nguidance.\n\nCause:\nOMB mandated the use of PIV cards for two-factor access without providing additional funding\nfor its implementation. Moreover, IT budget decreases have left fewer resources available for\nimplementing information security initiatives. Based on prior research, the Corporation\ndetermined that the cost of implementing two-factor authentication using a PIV card would be\ngreater than the anticipated benefit.\n\n\n\n5\n FY 2013 IG FISMA Reporting Metrics, dated November 30, 2012, Question 3, \xe2\x80\x9cIdentity and Access.\xe2\x80\x9d\n6\n FIPS PUB 201 is a Federal Government standard that specifies PIV requirements for Federal employees and\ncontractors.\n\n\n                                                      23\n\x0c                                                                                     CNCS FY 2013 FISMA Evaluation\n                                                                                            Final Report for FY 2013\n\n\n\nCriteria:\nThe President signed the implementation of HSPD-12, Policy for a Common Identification\nStandard for Federal Employees and Contractors, on August 27, 2004. This Presidential\nDirective requires all Federal agencies to use a standard badge for both physical and logical\naccess. The purpose of a PIV badge is to \xe2\x80\x9c\xe2\x80\xa6support inter-agency interoperability\xe2\x80\x9d across the\nFederal Government. 7 DHS indicated in its 2013 CIO and IG FISMA Reporting Metrics that the\nimplementation of the HSPD-12/PIV card is an \xe2\x80\x9cAdministration Priority\xe2\x80\x9d with two-factor\nauthentication to be implemented Government-wide using PIV cards.\n\nFurther, NIST SP 800-53, Rev. 3 requires all Federal information systems to implement Security\nControl IA-2, \xe2\x80\x9cIdentification and Authentication (Organization Users),\xe2\x80\x9d which states:\n\n           1. \xe2\x80\x9cThe information system uses multifactor authentication for network access to\n              privileged accounts.\n           2. The information system uses multifactor authentication for network access to non-\n              privileged accounts.\n           3. The information system uses multifactor authentication for local access to privileged\n              accounts.\xe2\x80\x9d\nEffect:\nIn addition to noncompliance with HSPD-12 requirements, the current single-factor\nauthentication mechanisms (e.g., a user ID and password) are no longer sufficient to block even\nunsophisticated attacks, given the advances in computer power and password cracking\ntechniques, thereby increasing the likelihood of penetration.\n\nRecommendation:\nKearney recommends that the Corporation:\n\n       9. Research avenues to implement two-factor authentication, such as leveraging a Federal\n          shared service provider to reduce upfront technology costs, lower per unit cost, and\n          adopt a gradual, phased-deployment strategy to overcome current budget constraints.\n\n\n\n\n7\n    FIPS PUB 201-1, Personal Identity Verification of Federal Employees and Contractors, dated March 2006.\n\n\n                                                        24\n\x0c                                    CNCS FY 2013 FISMA Evaluation\n                                           Final Report for FY 2013\n\n\n\nAPPENDIX A: MANAGEMENT\xe2\x80\x99S RESPONSE\n\n\n\n\n                              25\n\x0c     CNCS FY 2013 FISMA Evaluation\n            Final Report for FY 2013\n\n\n\n\n26\n\x0c     CNCS FY 2013 FISMA Evaluation\n            Final Report for FY 2013\n\n\n\n\n27\n\x0c     CNCS FY 2013 FISMA Evaluation\n            Final Report for FY 2013\n\n\n\n\n28\n\x0c     CNCS FY 2013 FISMA Evaluation\n            Final Report for FY 2013\n\n\n\n\n29\n\x0c     CNCS FY 2013 FISMA Evaluation\n            Final Report for FY 2013\n\n\n\n\n30\n\x0c     CNCS FY 2013 FISMA Evaluation\n            Final Report for FY 2013\n\n\n\n\n31\n\x0c     CNCS FY 2013 FISMA Evaluation\n            Final Report for FY 2013\n\n\n\n\n32\n\x0c     CNCS FY 2013 FISMA Evaluation\n            Final Report for FY 2013\n\n\n\n\n33\n\x0c     CNCS FY 2013 FISMA Evaluation\n            Final Report for FY 2013\n\n\n\n\n34\n\x0c     CNCS FY 2013 FISMA Evaluation\n            Final Report for FY 2013\n\n\n\n\n35\n\x0c     CNCS FY 2013 FISMA Evaluation\n            Final Report for FY 2013\n\n\n\n\n36\n\x0c                                                                                  CNCS FY 2013 FISMA Evaluation\n                                                                                         Final Report for FY 2013\n\n\n\nAPPENDIX B: KEARNEY\xe2\x80\x99S AND OIG\xe2\x80\x99S ANALYSIS OF PLANNED ACTIONS\n\nOn November 26, 2013, the Corporation for National and Community Service (Corporation)\nprovided written responses (Appendix A) to the draft of this report. The Corporation agreed\nwith the factual accuracy of all observations, but only partially agreed with recommended\nactions. The prevailing rationale for the partial agreement is that as a small Government\ncorporation, the additional security controls required by the Office of Management and\nBudget (OMB) and National Institute of Standards and Technology (NIST) of larger,\ncabinet-level agencies were not appropriate or cost effective for the Corporation to\nimplement. In this light, the Corporation agreed to consider the merits of our\nrecommendations, but would generally not agree to implement them. In one instance, the\nCorporation cited an August 5, 2005 OMB Memorandum, M-05-24, Implementation of\nHomeland Security Presidential Directive (HSPD) 12, as exempting Government\ncorporations from implementing personal identity verification (PIV) cards for physical\naccess and logical access to Government networks, desktops, and data. Subsequent\nmemoranda from OMB 8, NIST, and the Department of Homeland Security (DHS) do not\nprovide an exemption for Government corporations to not implement the requirements of\nHSPD 12 and Federal Information Processing Standards (FIPS) Publication (PUB) 201-1,\nPersonal Identity Verification (PIV) of Federal Employees and Contractors, dated March\n2006. For example, OMB Memorandum M-11-11, Continued Implementation of HSPD-12-\nPolicy for a Common Identification Standard for Federal Employees and Contractors, dated\nFebruary 3, 2011, mandates that all Federal agencies implement HSPD 12 and associated\nrequirements for two-factor authentication using a PIV badge. The Corporation must\ndetermine if it is legally required to implement PIV cards for both physical and logical\naccess to the network. Regardless, it is widely recognized by information security\nprofessionals that two-factor authentication is an industry best practice, provides superior\nidentification and authentication of users, and can thwart attacks to capture a user\xe2\x80\x99s ID and\npassword.\n\nIn the following tables, Kearney and the OIG evaluated the Corporation\xe2\x80\x99s response for each\nof the six findings and determined if the Corporation\xe2\x80\x99s planned actions were responsive to\nthe recommendation. Kearney defined responsive as follows:\n    \xe2\x80\xa2 Yes indicates that planned actions fully address the noted weakness and root cause.\n    \xe2\x80\xa2 No indicates that planned actions do not address the noted weakness and root cause.\n    \xe2\x80\xa2 Partial indicates that planned actions do not fully address the noted weakness and\n        additional actions are necessary.\n\n\n\n\n8\n  Since 2002, OMB issues annual Federal Information Security Management Act (FISMA) reporting instructions for\nagencies\xe2\x80\x99 Chief Information Officers (CIO), Senior Agency Official for Privacy, and Inspector Generals. The\nannual FISMA reporting instructions clarify OMB\xe2\x80\x99s interpretation of the FISMA legislation and include a\nFrequently Asked Questions (FAQ) section to explain OMB policy. The most recent OMB FISMA reporting\ninstructions were issued on November 18, 2013 (OMB Memorandum M-14-04). OMB clearly states that the\nFederal Information Processing Standards (FIPS) may not be waived by Federal agencies (Question 11, page 5).\nThe FAQs section does not provide any exemption for Government corporations to not implement PIV badges for\nboth physical and logical access.\n\n\n                                                      37\n\x0c                                                                                              CNCS FY 2013 FISMA Evaluation\n                                                                                                     Final Report for FY 2013\n\n\n\nThe following items will remain open until follow-up is conducted in the fiscal year (FY)\n2014 FISMA evaluation and the Office of Inspector General (OIG) determines that agreed-\nupon corrective actions are complete and responsive.\n\nFinding 1: Lack of a Formally Documented and Fully Implemented Information\nSecurity Continuous Monitoring (ISCM) Strategy\n\n                                                Corporation           Planned Corporation\nNo.         Recommendation                                                                          Evaluator Analysis\n                                                 Comment                     Action\n 1    Document and fully                   The                       CNCS will review its           Responsive: Partial\n      implement an ISCM strategy           recommendation            ISCM strategy in light\n      that incorporates the                implies                   of OIG                      Kearney agrees that the\n      following:                           implementation of         recommendations and         Corporation\xe2\x80\x99s planned\n      a. Establishment of metrics          the full range and        make any appropriate        action is an appropriate\n           to be monitored                 depth of guidance         adjustments to              first step; however, the\n      b. Establishment of                  contained in the          process or                  Corporation does not\n           frequencies for                 NIST SP. CNCS             documentation as            agree to document its\n           monitoring/assessments          has tailored              necessary.                  ISCM strategy and\n      c. Ongoing security control          guidance regarding                                    identify key security\n           assessments to determine        ISCM based on its                                     metrics. Kearney\n           the effectiveness of            assessment of                                         continues to make the\n           deployed security               agency risks,                                         recommendation as stated.\n           controls                        mission,\n      d. Ongoing security status           organization, size,\n           monitoring                      etc.\n      e. Correlation and analysis\n            of security-related\n            information generated\n            by assessments and\n            monitoring\n      f. Response actions to\n            address the results of the\n            analysis\n      g. Reporting of the security\n           status of the organization\n           and information system\n           to senior management\n           officials consistent with\n           guidance in NIST Special\n           Publication (SP) 800-\n           137.\n\nFinding 2: Lack of Formally Documented and Fully Implemented Risk Management\nFramework (RMF)\n\n                                            Corporation             Planned Corporation\nNo.       Recommendation                                                                           Evaluator Analysis\n                                              Comment                      Action\n 2    Document and fully                 CNCS                      CNCS will review its            Responsive: Partial\n      implement a process for            incorporates a            risk management\n      addressing and capturing           holistic approach         framework in light of       Kearney agrees that the\n      risk at the organization,          to risk assessment        OIG                         Corporation\xe2\x80\x99s planned\n      mission, and business              to include all            recommendations and         action is an appropriate first\n\n\n\n                                                              38\n\x0c                                                                                        CNCS FY 2013 FISMA Evaluation\n                                                                                               Final Report for FY 2013\n\n\n\n                                      Corporation              Planned Corporation\nNo.       Recommendation                                                                     Evaluator Analysis\n                                        Comment                       Action\n      process levels throughout    levels of the              make any appropriate       step; however, the\n      the organization.            organization in            adjustments to             Corporation does not agree\n                                   making                     processes or               to document its risk\n                                   information                documentation as           management approach and\n                                   assurance                  necessary.                 consider Levels I and II in\n                                   decisions,                                            its methodology, consistent\n                                   policies, and                                         with NIST SP 800-37,\n                                   investments, and                                      Revision (Rev.) 1, Guide\n                                   tailors NIST                                          for Applying the Risk\n                                   guidance to agency                                    Management Framework to\n                                   needs.                                                Federal Information\n                                                                                         Systems: A Security Life\n                                                                                         Cycle Approach. Kearney\n                                                                                         continues to make the\n                                                                                         recommendation as stated.\n 3    Clearly assign ownership     CNCS                   CNCS will review its risk          Responsive: Partial\n      and responsibilities for     incorporates a         management framework\n      executing risk management    holistic approach      in light of OIG                Kearney agrees that the\n      processes at the             to risk assessment     recommendations and            Corporation\xe2\x80\x99s planned\n      business/program level       to include all         make any appropriate           action is an appropriate first\n      (Tier 2).                    levels of the          adjustments to process or      step; however, the\n                                   organization in        documentation as               Corporation does not agree\n                                   making                 necessary.                     to document and clearly\n                                   information                                           assign roles and\n                                   assurance                                             responsibilities for risk\n                                   decisions, policies                                   management functions at\n                                   and investments,                                      the business level.\n                                   tailoring NIST                                        Kearney continues to make\n                                   guidance to agency                                    the recommendation as\n                                   needs.                                                stated.\n 4    Ensure compliance with       CNCS currently         CNCS will review its               Responsive: Partial\n      processes for monitoring     monitors security      policies and processes in\n      security controls at the     controls at the        these areas in light of OIG    Kearney acknowledges the\n      information system level     system level,          recommendations and            cost justification in\n      (i.e., Tier 3), and obtain   prepares and           make any appropriate           delaying the application\n      formal approval and          approves waivers,      adjustments to processes       risk assessment and\n      necessary waivers for        and takes              or documentation as            encourages the Corporation\n      departures from              disciplinary action    necessary.                     to document its risk\n      Corporation policy.          as appropriate.                                       acceptance and departure\n      Further, establish and                                                             from Corporate policy\n      communicate potential                                                              when such events occur. In\n      disciplinary actions for                                                           the case of eSPAN, the\n      noncompliance with the                                                             Corporation should\n      Corporation\xe2\x80\x99s security                                                             complete the risk\n      policies.                                                                          assessment. Kearney\n                                                                                         continues to make the\n                                                                                         recommendation as stated.\n\n\n\n\n                                                         39\n\x0c                                                                                    CNCS FY 2013 FISMA Evaluation\n                                                                                           Final Report for FY 2013\n\n\n\nFinding 3: Lack of a Fully Implemented Role-Based Information Security Training\nProgram\n\n                                        Corporation         Planned Corporation\nNo.       Recommendation                                                                 Evaluator Analysis\n                                         Comment                    Action\n 5    Implement role-based          CNCS provides            CNCS will improve            Responsive: Partial\n      security training for all     written guidance and     documentation of        Kearney agrees that\n      users with significant        desk side training to    training given.         documenting role-based\n      information security          all users with                                   training provided to\n      responsibilities and          significant                                      individuals with significant\n      maintain documentation for    information security                             information security\n      the completion of training.   responsibilities.                                responsibility is one action\n                                                                                     of several needed. Other\n                                                                                     key actions include\n                                                                                     delivering role-based\n                                                                                     security training to the\n                                                                                     Corporation\xe2\x80\x99s IT\n                                                                                     professionals, Contracting\n                                                                                     Officers, System Owners,\n                                                                                     and other employees\n                                                                                     involved in the oversight of\n                                                                                     the Corporation\xe2\x80\x99s IT\n                                                                                     vendors to ensure that all\n                                                                                     parties understand and\n                                                                                     follow the Corporation\xe2\x80\x99s\n                                                                                     security policies. Kearney\n                                                                                     continues to make the\n                                                                                     recommendation as stated.\n\nFinding 4: Improvements Needed to Plans of Actions and Milestones (POA&M) Reporting\n\n                                        Corporation          Planned Corporation\nNo.        Recommendation                                                                Evaluator Analysis\n                                         Comment                     Action\n 6    Enhance the POA&M             CNCS has a robust       CNCS will clarify the       Responsive: Partial\n      process to identify           process and             relationship between\n      resources required for        significant             these two processes.      Kearney agrees that the\n      remediation either in the     allocation of                                     Corporation\xe2\x80\x99s planned\n      POA&M item or the             resources to                                      action is an appropriate\n      associated change request     aggressively                                      first step; however, the\n      ticket.                       mitigate POA&M                                    Corporation did not agree\n                                    items. Tracking of                                to estimate resources\n                                    resource and                                      required to resolve noted\n                                    implementation                                    security weaknesses\n                                    actions are shared                                captured on either a\n                                    between the                                       POA&M or a change\n                                    POA&M and                                         request. Kearney believes\n                                    system change                                     this is essential\n                                    request processes.                                information for tracking\n                                                                                      and communicating\n                                                                                      resource needs to\n                                                                                      Corporation Executives\n                                                                                      when establishing the\n                                                                                      annual budget for the\n                                                                                      Corporation\xe2\x80\x99s information\n\n\n\n                                                      40\n\x0c                                                                                      CNCS FY 2013 FISMA Evaluation\n                                                                                             Final Report for FY 2013\n\n\n\n                                       Corporation         Planned Corporation\nNo.        Recommendation                                                                  Evaluator Analysis\n                                        Comment                  Action\n                                                                                        security program.\n                                                                                        Kearney continues to\n                                                                                        make the\n                                                                                        recommendation as\n                                                                                        stated.\n\n 7    Strengthen the POA&M          CNCS has not been      CNCS will modify                 Responsive: Yes\n      process to require            consistent in          processes to ensure that\n      individuals to reference      documenting            evidence supporting          The Corporation\n      evidence supporting the       evidence               closure of a POA&M           concurred with the\n      closure of a POA&M item.      supporting closure     item is consistently         recommendation to\n                                    of POA&M items.        documented.                  provide improved close-\n                                                                                        out documentation of\n                                                                                        POA&M items.\n\nFinding 5: Improvements Needed to Ensure that Contractors Comply with the\nCorporation's Information Security Program Requirements\n\n                                        Corporation        Planned Corporation\nNo.       Recommendation                                                                   Evaluator Analysis\n                                         Comment                   Action\n 8    Strengthen contractor         CNCS provides          CNCS will review its            Responsive: Partial\n      oversight to ensure           adequate guidance      IT acquisition policies,\n      compliance with the           to acquisition         processes, and training    Kearney agrees that the\n      Corporation\xe2\x80\x99s security        personnel and          regarding compliance       Corporation\xe2\x80\x99s planned\n      requirements by clearly       system owners          with the CNCS's            action is an appropriate first\n      assigning oversight           regarding their        security requirements      step; however, the\n      responsibility and required   responsibilities for   by IT contractors and      Corporation did not agree to\n      activities for Contracting    requiring and          make any appropriate       take any specific action or\n      Officers (CO), system         overseeing             adjustments to             clarify responsibilities of CO\n      owners, and supporting        information            processes or               and system owners with\n      information technology (IT)   security               documentation, as          regard to external IT\n      professionals.                requirements on IT     necessary                  providers. Kearney\n                                    contracts.                                        continues to make the\n                                                                                      recommendation as stated.\n\nFinding 6: Lack of Two-Factor Authentication to the Corporation\xe2\x80\x99s Desktops, Laptops,\nand Corporate Network\n\n                                        Corporation        Planned Corporation\nNo.       Recommendation                                                                   Evaluator Analysis\n                                         Comment                   Action\n 9    Research avenues to           CNCS has applied       CNCS will continue              Responsive: Partial\n      implement two-factor          discretion granted     to evaluate options\n      authentication, such as       by OMB and NIST        for two-factor              Kearney recommends that\n      leveraging a Federal          guidance in its        authentication for          the Corporation incorporate\n      shared service provider to    implementation of      logical access to           the plan of action as defined\n      reduce upfront technology     two-factor             Agency applications,        in OMB Memorandum M-\n      costs, lower per unit cost,   authentication.        taking into                 11-11, Continued\n      and adopt a gradual,          Two-factor             consideration               Implementation of\n      phased-deployment             authentication is      potential shared            Homeland Security\n      strategy to overcome          already                services and phased         Presidential Directive\n      current budget constraints.   implemented for        implementation              (HSPD) 12 Policy for a\n\n\n\n                                                      41\n\x0c                                                                     CNCS FY 2013 FISMA Evaluation\n                                                                            Final Report for FY 2013\n\n\n\n                            Corporation        Planned Corporation\nNo.   Recommendation                                                      Evaluator Analysis\n                             Comment                   Action\n                       physical access to      strategies.            Common Identification\n                       the HQ building and                            Standard for Federal\n                       for logical access to                          Employees and Contractors.\n                       the CNCS network                               Kearney continues to make\n                       (either on-site or                             the recommendation as\n                       remotely).CNCS                                 stated.\n                       does not consider it\n                       cost-effective to\n                       implement two-\n                       factor\n                       authentication for\n                       logical access to\n                       CNCS applications\n                       at this time.\n\n\n\n\n                                         42\n\x0c                                                                            CNCS FY 2013 FISMA Evaluation\n                                                                                   Final Report for FY 2013\n\n\n\n   APPENDIX C: RESPONSES TO DHS\xe2\x80\x99S FY 2013 IG FISMA REPORTING METRICS\n\n                                        FY 2013 IG FISMA Metrics\n1: CONTINUOUS MONITORING MANAGEMENT\n                                                                                              Answer\nPlease select Yes or No from the pull down menu.\n1.1. Has the organization established an enterprise-wide continuous monitoring program\nthat assesses the security state of information systems that is consistent with FISMA\nrequirements, OMB policy, and applicable NIST guidelines? Besides the improvement             No\nopportunities that may have been identified by the OIG, does the program include the\nfollowing attributes?\n           Documented policies and procedures for continuous monitoring\n 1.1.1.                                                                                       No\n           (NIST SP 800-53: CA-7). (AP)\n           Documented strategy and plans for continuous monitoring\n1.1.2.                                                                                        No\n           (NIST SP 800-37 Rev. 1, Appendix G). (AP)\n           Ongoing assessments of security controls (system-specific, hybrid, and\n           common) that have been performed based on the approved continuous\n 1.1.3.                                                                                       Yes\n           monitoring plans\n           (NIST SP 800-53, NIST SP 800-53A). (AP)\n           Provides authorizing officials and other key system officials with security status\n           reports covering updates to security plans and security assessment reports, as\n 1.1.4. well as a common and consistent POA&M program that is updated with the                Yes\n           frequency defined in the strategy and/or plans (NIST SP 800-53, NIST SP 800-\n           53A). (AP)\n1.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Continuous\nMonitoring Management Program that was not noted in the questions above.\n1.2 Response: Current policies and procedures for continuous monitoring can be improved through\nthe implementation of an Information Security Continuous Monitoring Strategy that considers all\nactivities at the organization, mission/business process, and information systems tiers. The\nCorporation for National and Community Service (Corporation) identified the need for the\ndevelopment of an Information Security Continuous Monitoring Strategy for each system in its\nInformation Assurance Strategic Plan, dated October 2012.\n\n2: CONFIGURATION MANAGEMENT\n                                                                                               Answer\nPlease select Yes or No from the pull down menu.\n2.1 Has the organization established a security configuration management program that\nis consistent with FISMA requirements, OMB policy, and applicable NIST guidelines?\n                                                                                                Yes\nBesides the improvement opportunities that may have been identified by the OIG, does\nthe program include the following attributes?\n2.1.1.    Documented policies and procedures for configuration management. (Base)               Yes\n2.1.2.    Defined standard baseline configurations. (Base)                                      Yes\n\n\n\n\n                                                   43\n\x0c                                                                           CNCS FY 2013 FISMA Evaluation\n                                                                                  Final Report for FY 2013\n\n\n\n2: CONFIGURATION MANAGEMENT\n                                                                                           Answer\nPlease select Yes or No from the pull down menu.\n2.1.3.   Assessments of compliance with baseline configurations. (Base)                    Yes\n         Process for timely (as specified in organization policy or standards) remediation\n2.1.4.                                                                                     Yes\n         of scan result deviations. (Base)\n         For Windows-based components, USGCB secure configuration settings are\n2.1.5.   fully implemented, and any deviations from USGCB baseline settings are fully      Yes\n         documented. (Base)\n         Documented proposed or actual changes to hardware and software\n2.1.6.                                                                                     Yes\n         configurations. (Base)\n2.1.7.   Process for timely and secure installation of software patches. (Base)            Yes\n         Software assessing (scanning) capabilities are fully implemented\n2.1.8.                                                                                     Yes\n         (NIST SP 800-53: RA-5, SI-2). (Base)\n         Configuration-related vulnerabilities, including scan findings, have been\n         remediated in a timely manner, as specified in organization policy or standards\n2.1.9.                                                                                     Yes\n         (NIST SP 800-53:\n         CM-4, CM-6, RA-5, SI-2). (Base)\n         Patch management process is fully developed, as specified in organization\n2.1.10.                                                                                    Yes\n         policy or standards (NIST SP 800-53: CM-3, SI-2). (Base)\n2.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s\nConfiguration Management Program that was not noted in the questions above.\n2.2 Response: No additional information.\n\n3: IDENTITY AND ACCESS MANAGEMENT\n                                                                                              Answer\nPlease select Yes or No from the pull down menu.\n3.1. Has the organization established an identity and access management program that is\nconsistent with FISMA requirements, OMB policy, and applicable NIST guidelines and\n                                                                                               Yes\nwhich identifies users and network devices? Besides the improvement opportunities that\nhave been identified by the OIG, does the program include the following attributes?\n          Documented policies and procedures for account and identity management\n3.1.1.                                                                                         Yes\n          (NIST SP 800-53: AC-1). (Base)\n          Identifies all users, including Federal employees, contractors, and others who\n3.1.2.                                                                                         Yes\n          access organization systems (NIST SP 800-53, AC-2). (Base)\n\n\n\n\n                                                  44\n\x0c                                                                           CNCS FY 2013 FISMA Evaluation\n                                                                                  Final Report for FY 2013\n\n\n\n3: IDENTITY AND ACCESS MANAGEMENT\n                                                                                            Answer\nPlease select Yes or No from the pull down menu.\n         Identifies when special access requirements (e.g., multi-factor authentication)\n3.1.3.                                                                                       Yes\n         are necessary. (Base)\n         If multi-factor authentication is in use, it is linked to the organization\xe2\x80\x99s PIV\n3.1.4.                                                                                       Yes\n         program where appropriate (NIST SP 800-53, IA-2). (KFM)\n         Organization has planned for implementation of PIV for logical access in\n3.1.5.   accordance with government policies (HSPD 12, FIPS 201, OMB M-05-24,                Yes\n         OMB M-07-06, OMB M-08-01, OMB M-11-11). (AP)\n         Organization has adequately planned for implementation of PIV for physical\n3.1.6.   access in accordance with government policies (HSPD 12, FIPS 201,                   Yes\n         OMB M-05-24, OMB M-07-06, OMB M-08-01, OMB M-11-11).\n         Ensures that the users are granted access based on needs and separation-of-\n3.1.7.                                                                                       Yes\n         duties principles. (Base)\n         Identifies devices with IP addresses that are attached to the network and\n         distinguishes these devices from users. (For example: IP phones, faxes, and\n3.1.8.                                                                                       Yes\n         printers are examples of devices attached to the network that are distinguishable\n         from desktops, laptops, or servers that have user accounts.) (Base)\n         Identifies all user and non-user accounts. (Refers to user accounts that are on a\n         system. Data user accounts are created to pull generic information from a\n3.1.9.                                                                                       Yes\n         database or a guest/anonymous account for generic login purposes. They are\n         not associated with a single user or a specific group of users.) (Base)\n         Ensures that accounts are terminated or deactivated once access is no longer\n3.1.10.                                                                                      No\n         required. (Base)\n3.1.11. Identifies and controls use of shared accounts. (Base)                               No\n3.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Identity and\nAccess Management Program that was not noted in the questions above.\n3.2 Response: Due to budget cuts, the Corporation has elected not to implement two-factor\nauthentication for access to the Corporation\xe2\x80\x99s desktops, servers, and network devices. The\nCorporation has begun deployment of Homeland Security Presidential Directive (HSPD)-12 badges\nto Federal employees; however, the implementation is limited to physical access to the Corporation\xe2\x80\x99s\nHeadquarters building. Additionally, Kearney & Company, P.C. (Kearney) noted that there is a prior\nyear (PY) Notification of Finding and Recommendation (NFR) for inactive accounts that have not\nbeen disabled and/or removed. Kearney noted that this has been identified and tracked on the system\nPlan of Actions and Milestones (POA&M). The status of this action item is \xe2\x80\x9congoing.\xe2\x80\x9d\n\n\n\n\n                                                   45\n\x0c                                                                             CNCS FY 2013 FISMA Evaluation\n                                                                                    Final Report for FY 2013\n\n\n\n4: INCIDENT RESPONSE AND REPORTING\n                                                                                             Answer\nPlease select Yes or No from the pull down menu.\n4.1. Has the organization established an incident response and reporting program that is\nconsistent with FISMA requirements, OMB policy, and applicable NIST guidelines?\n                                                                                             Yes\nBesides the improvement opportunities that may have been identified by the OIG, does\nthe program include the following attributes?\n          Documented policies and procedures for detecting, responding to, and reporting\n4.1.1.                                                                                       Yes\n          incidents (NIST SP 800-53: IR-1). (Base)\n4.1.2.    Comprehensive analysis, validation, and documentation of incidents. (KFM)          Yes\n          When applicable, reports to US-CERT within established timeframes (NIST SP\n4.1.3.                                                                                       Yes\n          800-53, NIST SP 800-61; OMB M-07-16, OMB M-06-19). (KFM)\n          When applicable, reports to law enforcement within established timeframes (SP\n4.1.4.                                                                                       Yes\n          800-61). (KFM)\n          Responds to and resolves incidents in a timely manner, as specified in\n4.1.5.    organization policy or standards, to minimize further damage (NIST SP 800-53, Yes\n          NIST SP 800-61; OMB M-07-16, OMB M-06-19). (KFM)\n          Is capable of tracking and managing risks in a virtual/cloud environment, if\n4.1.6.                                                                                       No\n          applicable. (Base)\n4.1.7.    Is capable of correlating incidents. (Base)                                        Yes\n          Has sufficient incident monitoring and detection coverage in accordance with\n4.1.8.    government policies (NIST SP 800-53, NIST SP 800-61; OMB M-07-16, OMB Yes\n          M-06-19). (Base)\n4.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Incident\nManagement Program that was not noted in the questions above.\n4.2 Response: The Corporation does not currently utilize any Cloud Service Providers. As such,\nQuestion 4.1.6 is not applicable to the Corporation.\n\n5: RISK MANAGEMENT\n                                                                                                Answer\nPlease select Yes or No from the pull down menu.\n5.1. Has the organization established a risk management program that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines? Besides the\n                                                                                                 No\nimprovement opportunities that may have been identified by the OIG, does the program\ninclude the following attributes?\n          Documented policies and procedures for risk management, including\n5.1.1.    descriptions of the roles and responsibilities of participants in this process.        Yes\n          (Base)\n          Addresses risk from an organization perspective with the development of a\n5.1.2.    comprehensive governance structure and organization-wide risk management               No\n          strategy as described in NIST SP 800-37, Rev. 1. (Base)\n\n\n\n\n                                                   46\n\x0c                                                                          CNCS FY 2013 FISMA Evaluation\n                                                                                 Final Report for FY 2013\n\n\n\n5: RISK MANAGEMENT\n                                                                                            Answer\nPlease select Yes or No from the pull down menu.\n         Addresses risk from a mission and business process perspective and is guided\n5.1.3.   by the risk decisions from an organizational perspective, as described in NIST     No\n         SP 800-37, Rev. 1. (Base)\n         Addresses risk from an information system perspective and is guided by the\n5.1.4.   risk decisions from an organizational perspective and the mission and business     Yes\n         perspective, as described in NIST SP 800-37, Rev. 1. (Base)\n5.1.5.   Has an up-to-date system inventory. (Base)                                         Yes\n         Categorizes information systems in accordance with government policies.\n5.1.6.                                                                                      Yes\n         (Base)\n5.1.7.   Selects an appropriately tailored set of baseline security controls. (Base)        Yes\n         Implements the tailored set of baseline security controls and describes how the\n5.1.8.   controls are employed within the information system and its environment of         No\n         operation. (Base)\n         Assesses the security controls using appropriate assessment procedures to\n         determine the extent to which the controls are implemented correctly, operating\n5.1.9.                                                                                      No\n         as intended, and producing the desired outcome with respect to meeting the\n         security requirements for the system. (Base)\n         Authorizes information system operation based on a determination of the risk to\n         organizational operations and assets, individuals, other organizations, and the\n5.1.10.                                                                                     No\n         Nation resulting from the operation of the information system and the decision\n         that this risk is acceptable. (Base)\n         Ensures information security controls are monitored on an ongoing basis,\n         including assessing control effectiveness, documenting changes to the system\n5.1.11. or its environment of operation, conducting security impact analyses of the         No\n         associated changes, and reporting the security state of the system to designated\n         organizational officials. (Base)\n         Information-system-specific risks (tactical), mission/business-specific risks, and\n5.1.12. organizational-level (strategic) risks are communicated to appropriate levels of    No\n         the organization. (Base)\n         Senior officials are briefed on threat activity on a regular basis by appropriate\n5.1.13.                                                                                     Yes\n         personnel (e.g., CISO). (Base)\n         Prescribes the active involvement of information system owners and common\n         control providers, chief information officers, senior information security\n5.1.14.                                                                                     No\n         officers, authorizing officials, and other roles as applicable in the ongoing\n         management of information-system-related security risks. (Base)\n         Security authorization package contains system security plan, security\n         assessment report, and POA&M in accordance with government policies (NIST\n5.1.15.                                                                                     Yes\n         SP 800-18,\n         NIST SP 800-37). (Base)\n         Security authorization package contains accreditation boundaries, defined in\n5.1.16. accordance with government policies, for organization information systems.          Yes\n         (Base)\n\n\n\n\n                                                  47\n\x0c                                                                           CNCS FY 2013 FISMA Evaluation\n                                                                                  Final Report for FY 2013\n\n\n\n5: RISK MANAGEMENT\n                                                                                            Answer\nPlease select Yes or No from the pull down menu.\n5.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Risk\nManagement Program that was not noted in the questions above.\n5.2 Response: The Corporation has not developed a Risk Management Program consistent with\nFederal Information Security Management Act of 2002 (FISMA) requirements, Office of\nManagement and Budget (OMB) policy, and applicable National Institute of Standards and\nTechnology (NIST) guidelines. Specifically, the Corporation has not implemented the NIST Risk\nManagement Framework (RMF), as described in NIST Special Publication (SP) 800-37, Revision\n(Rev.) 1; and NIST SP 800-39 at the Tier 1: Organizational and Tier 2: Mission/Business levels.\n\n6: SECURITY TRAINING\n                                                                                               Answer\nPlease select Yes or No from the pull down menu.\n6.1. Has the organization established a security training program that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines? Besides the\n                                                                                               Yes\nimprovement opportunities that may have been identified by the OIG, does the program\ninclude the following attributes?\n          Documented policies and procedures for security awareness training\n6.1.1.                                                                                         Yes\n          (NIST SP 800-53: AT-1). (Base)\n          Documented policies and procedures for specialized training for users with\n6.1.2.                                                                                         Yes\n          significant information security responsibilities. (Base)\n          Security training content based on the organization and roles, as specified in\n6.1.3.                                                                                         No\n          organization policy or standards. (Base)\n          Identification and tracking of the status of security awareness training for all\n6.1.4.    personnel (including employees, contractors, and other organization users) with Yes\n          access privileges that require security awareness training. (KFM)\n          Identification and tracking of the status of specialized training for all personnel\n          (including employees, contractors, and other organization users) with\n6.1.5.                                                                                         No\n          significant information security responsibilities that require specialized training.\n          (KFM)\n          Training material for security awareness training contains appropriate content\n6.1.6.                                                                                         Yes\n          for the organization (NIST SP 800-50, NIST SP 800-53). (Base)\n6.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Security\nTraining Program that was not noted in the questions above.\n6.2 Response: The Corporation identified the need for the development of a role-based training\nprogram in its Information Assurance Strategic Plan, dated October 2012. The Corporation has\ndocumented information technology (IT) security training policies and procedures; however, it has\nnot implemented these training procedures and practices for individuals with significant information\nsecurity responsibilities. The retirement of the Chief Information Security Officer (CISO) and a 12%\nreduction in the IT budget has limited the Corporation\xe2\x80\x99s ability to implement new IT initiatives with\nexisting resources.\n\n\n\n\n                                                   48\n\x0c                                                                          CNCS FY 2013 FISMA Evaluation\n                                                                                 Final Report for FY 2013\n\n\n\n7: PLAN OF ACTIONS AND MILESTONES (POA&M)\n                                                                                           Answer\nPlease select Yes or No from the pull down menu.\n7.1. Has the organization established a POA&M program that is consistent with FISMA\nrequirements, OMB policy, and applicable NIST guidelines and tracks and monitors\n                                                                                            Yes\nknown information security weaknesses? Besides the improvement opportunities that\nmay have been identified by the OIG, does the program include the following attributes?\n          Documented policies and procedures for managing IT security weaknesses\n7.1.1.    discovered during security control assessments and that require remediation.      Yes\n          (Base)\n7.1.2.    Tracks, prioritizes, and remediates weaknesses. (Base)                            Yes\n7.1.3.    Ensures remediation plans are effective for correcting weaknesses. (Base)         Yes\n7.1.4.    Establishes and adheres to milestone remediation dates. (Base)                    No\n          Ensures resources and ownership are provided for correcting weaknesses.\n7.1.5.                                                                                      No\n          (Base)\n          POA&Ms include security weaknesses discovered during assessments of\n          security controls and that require remediation (do not need to include security\n7.1.6.                                                                                      Yes\n          weakness due to a risk-based decision to not implement a security control)\n          (OMB M-04-25). (Base)\n          Costs associated with remediating weaknesses are identified (NIST SP 800-53,\n7.1.7.                                                                                      No\n          Rev. 3, Control PM-3; OMB M-04-25). (Base)\n          Program officials report progress on remediation to CIO on a regular basis, at\n          least quarterly, and the CIO centrally tracks, maintains, and independently\n7.1.8.                                                                                      Yes\n          reviews/validates the POA&M activities at least quarterly (NIST SP 800-53,\n          Rev. 3, Control CA-5; OMB M-04-25). (Base)\n7.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s POA&M\nProgram that was not noted in the questions above.\n7.2 Response: The Corporation has policies and procedures for managing its POA&Ms; however, it\nhas not consistently implemented these policies and procedures. Kearney noted that resources and\ncosts were not consistently estimated and reported in POA&Ms. Additionally, the existence of\noverdue milestones suggests that corrective actions were not consistently implemented as scheduled,\nand periodic updates to the POA&Ms were not performed to reflect new operational challenges and\nmilestone delays.\n\n8: REMOTE ACCESS MANAGEMENT\n                                                                                             Answer\nPlease select Yes or No from the pull down menu.\n8.1. Has the organization established a remote access program that is consistent with\nFISMA requirements, OMB policy, and applicable NIST guidelines? Besides the\n                                                                                              Yes\nimprovement opportunities that may have been identified by the OIG, does the program\ninclude the following attributes?\n          Documented policies and procedures for authorizing, monitoring, and\n8.1.1.    controlling all methods of remote access (NIST SP 800-53: AC-1, AC-17).             Yes\n          (Base)\n          Protects against unauthorized connections or subversion of authorized\n8.1.2.                                                                                        Yes\n          connections. (Base)\n\n\n\n\n                                                  49\n\x0c                                                                             CNCS FY 2013 FISMA Evaluation\n                                                                                    Final Report for FY 2013\n\n\n\n8: REMOTE ACCESS MANAGEMENT\n                                                                                             Answer\nPlease select Yes or No from the pull down menu.\n         Users are uniquely identified and authenticated for all access\n8.1.3.                                                                                        Yes\n         (NIST SP 800-46, Section 4.2, Section 5.1). (Base)\n         Telecommuting policy is fully developed (NIST SP 800-46, Section 5.1).\n8.1.4.                                                                                        Yes\n         (Base)\n         If applicable, multi-factor authentication is required for remote access\n8.1.5.                                                                                        Yes\n         (NIST SP 800-46, Section 2.2, Section 3.3). (KFM)\n         Authentication mechanisms meet NIST SP 800-63 guidance on remote\n8.1.6.                                                                                        Yes\n         electronic authentication, including strength mechanisms. (Base)\n         Defines and implements encryption requirements for information transmitted\n8.1.7.                                                                                        Yes\n         across public networks. (KFM)\n         Remote access sessions, in accordance with OMB M-07-16, are timed-out after\n8.1.8.                                                                                        No\n         30 minutes of inactivity, after which re-authentication is required. (Base)\n         Lost or stolen devices are disabled and appropriately reported\n8.1.9.   (NIST SP 800-46, Section 4.3; US-CERT Incident Reporting Guidelines).                Yes\n         (Base)\n         Remote access rules of behavior are adequate in accordance with government\n8.1.10.                                                                                       No\n         policies (NIST SP 800-53, PL-4). (Base)\n         Remote-access user agreements are adequate in accordance with government\n8.1.11.                                                                                       No\n         policies (NIST SP 800-46, Section 5.1; NIST SP 800-53, PS-6). (Base)\n8.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Remote\nAccess Management that was not noted in the questions above.\n8.2 Response: The Corporation does not have a Rules of Behavior Form specific to remote access\nmanagement. The general Rules of Behavior Form does include guidelines for remote access.\nAdditionally, the Corporation is in process of revising security requirements for session time-outs to\n15 minutes of inactivity.\n         Does the organization have a policy to detect and remove unauthorized (rogue)\n8.3                                                                                           Yes\n         connections?\n\n9: CONTINGENCY PLANNING\n                                                                                                Answer\nPlease select Yes or No from the pull down menu.\n9.1. Has the organization established an enterprise-wide business continuity/disaster\nrecovery program that is consistent with FISMA requirements, OMB policy, and\n                                                                                                 Yes\napplicable NIST guidelines? Besides the improvement opportunities that may have been\nidentified by the OIG, does the program include the following attributes?\n          Documented business continuity and disaster recovery policy providing the\n          authority and guidance necessary to reduce the impact of a disruptive event or\n9.1.1.                                                                                           Yes\n          disaster\n          (NIST SP 800-53: CP-1). (Base)\n          The organization has incorporated the results of its system\xe2\x80\x99s Business Impact\n          Analysis (BIA) into the analysis and strategy development efforts for the\n9.1.2.                                                                                           Yes\n          organization\xe2\x80\x99s Continuity of Operations Plan (COOP), Business Continuity\n          Plan (BCP), and Disaster Recovery Plan (DRP) (NIST SP 800-34). (Base)\n\n\n\n\n                                                    50\n\x0c                                                                            CNCS FY 2013 FISMA Evaluation\n                                                                                   Final Report for FY 2013\n\n\n\n9: CONTINGENCY PLANNING\n                                                                                               Answer\nPlease select Yes or No from the pull down menu.\n         Development and documentation of division, component, and IT infrastructure\n9.1.3.                                                                                          No\n         recovery strategies, plans, and procedures (NIST SP 800-34). (Base)\n9.1.4.   Testing of system-specific contingency plans. (Base)                                   No\n         The documented BCP and DRP are in place and can be implemented when\n9.1.5.                                                                                          Yes\n         necessary (FCD1, NIST SP 800-34). (Base)\n         Development of test, training, and exercise (TT&E) programs\n9.1.6.                                                                                          No\n         (FCD1, NIST SP 800-34, NIST SP 800-53). (Base)\n         Testing or exercising of BCP and DRP to determine effectiveness and to\n9.1.7.                                                                                          No\n         maintain current plans. (Base)\n         After-action report that addresses issues identified during contingency/disaster\n9.1.8.                                                                                          No\n         recovery exercises (FCD1, NIST SP 800-34). (Base)\n          Systems that have alternate processing sites (FCD1, NIST SP 800-34, NIST SP\n9.1.9.                                                                                       Yes\n          800-53). (Base)\n          Alternate processing sites are not subject to the same risks as primary sites\n9.1.10.                                                                                      Yes\n          (FCD1, NIST SP 800-34, NIST SP 800-53).\n          Backups of information that are performed in a timely manner\n9.1.11.                                                                                      Yes\n          (FCD1, NIST SP 800-34, NIST SP 800-53). (Base)\n9.1.12. Contingency planning that considers supply chain threats. (Base)                     No\n9.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Contingency\nPlanning Program that was not noted in the questions above.\n9.2 Response: Detailed testing of the Business Continuity Plan (BCP) and Disaster Recovery Plan\n(DRP) was conducted during the current year. The Corporation and SRA International, Inc. (SRA)\nhave DRPs for the SRA Managed Data Center Services (MDCS) and at Savvis; however, testing of\ncontrols for the Electronic System for Programs, Agreements, and National Service (eSPAN) is\ncurrently in process and has not been performed for this current year because the application security\nassessment is currently in process. This application is operating under an extended authority to\noperate. Further, documentation evidencing a simulated disaster scenario or a \xe2\x80\x9ctable top\xe2\x80\x9d exercise\nwas not provided.\n\n10: CONTRACTOR SYSTEMS\n                                                                                               Answer\nPlease select Yes or No from the pull down menu.\n10.1. Has the organization established a program to oversee systems operated on its\nbehalf by contractors or other entities, including organization systems and services\nresiding in the cloud external to the organization? Besides the improvement                     Yes\nopportunities that may have been identified by the OIG, does the program include the\nfollowing attributes?\n          Documented policies and procedures for information security oversight of\n10.1.1. systems operated on the organization\xe2\x80\x99s behalf by contractors or other entities,         Yes\n          including organization systems and services residing in a public cloud. (Base)\n          The organization obtains sufficient assurance that security controls of such\n10.1.2. systems and services are effectively implemented and comply with Federal and            No\n          organization guidelines (NIST SP 800-53: CA-2). (Base)\n\n\n                                                   51\n\x0c                                                                             CNCS FY 2013 FISMA Evaluation\n                                                                                    Final Report for FY 2013\n\n\n\n10: CONTRACTOR SYSTEMS\n                                                                                              Answer\nPlease select Yes or No from the pull down menu.\n          A complete inventory of systems operated on the organization\xe2\x80\x99s behalf by\n10.1.3. contractors or other entities, including organization systems and services            Yes\n          residing in a public cloud. (Base)\n          The inventory identifies interfaces between these systems and organization-\n10.1.4.                                                                                       Yes\n          operated systems (NIST SP 800-53: PM-5). (Base)\n          The organization requires appropriate agreements (e.g., MOUs, Interconnection\n10.1.5. Security Agreements, contracts, etc.) for interfaces between these systems and        Yes\n          those that it owns and operates. (Base)\n10.1.6. The inventory of contractor systems is updated at least annually. (Base)              Yes\n          Systems that are owned or operated by contractors or entities, including\n10.1.7. organization systems and services residing in a public cloud, are compliant with Yes\n          FISMA requirements, OMB policy, and applicable NIST guidelines. (Base)\n10.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Contractor\nSystems Program that was not noted in the questions above.\n10.2 Response: The Corporation has developed security policies requiring Contracting Officers (CO)\nand their technical representatives to conduct oversight and monitoring of their contractors\xe2\x80\x99\nadherence to Corporation security policies. However, the Corporation could not provide evidence of\nthis monitoring and adherence to agency policy.\n\n11: SECURITY CAPITAL PLANNING\n                                                                                                Answer\nPlease select Yes or No from the pull down menu.\n11.1. Has the organization established a security capital planning and investment\nprogram for information security? Besides the improvement opportunities that may have            Yes\nbeen identified by the OIG, does the program include the following attributes?\n         Documented policies and procedures to address information security in the\n11.1.1.                                                                                          Yes\n         capital planning and investment control (CPIC) process. (Base)\n          Includes information security requirements as part of the capital planning and\n11.1.2.                                                                                          Yes\n          investment process. (Base)\n         Establishes a discrete line item for information security in organizational\n11.1.3.                                                                                      Yes\n         programming and documentation (NIST SP 800-53: SA-2). (Base)\n         Employs a business case/Exhibit 300/Exhibit 53 to record the information\n11.1.4.                                                                                      Yes\n         security resources required (NIST SP 800-53: PM-3). (Base)\n         Ensures that information security resources are available for expenditure as\n11.1.5.                                                                                      Yes\n         planned. (Base)\n11.2 Please provide any additional information on the effectiveness of the organization\xe2\x80\x99s Security\nCapital Planning Program that was not noted in the questions above.\n11.2 Response: According to the Corporation\xe2\x80\x99s management, the Corporation is not required to\nprepare Exhibit 300, as the Corporation is considered a small agency for the purposes of FISMA.\n\n\n\n\n                                                    52\n\x0c                                                                            CNCS FY 2013 FISMA Evaluation\n                                                                                   Final Report for FY 2013\n\n\n\nAPPENDIX D: RESULTS FROM NCCC AND STATE FIELD OFFICE ASSESSMENTS\n\nField office assessments were conducted at the Jackson State Office and National Civilian\nCommunity Corps (NCCC)-Vicksburg and NCCC-Perry Point. As part of Kearney & Company,\nP.C.\xe2\x80\x99s (Kearney) assessment strategy, workspace and office suite areas were inspected for\npersonally identifiable information (PII) exposures. Kearney\xe2\x80\x99s visits to these locations also\nincluded an evaluation of workstation configuration and encryption, evaluation of controls to\nensure acceptable usage of Corporation for National and Community Service (Corporation)\nnetwork resources, physical security, rogue connections, PII management, and a search for\ninappropriate material on Corporation workstations.\n\nAt the Jackson State Office, Kearney toured the State Office and noted that PII (paper and\nportable electronic) was adequately stored and protected. Physical access controls to the facility\nand State Office work area appeared to be sufficient, considering the State Office\xe2\x80\x99s mission and\nknown threats. Kearney did not detect any wireless access points within proximity of the State\nOffice. Kearney noted that SRA International, Inc. (SRA) deployed technology to manage the\nconfiguration of the Corporation\xe2\x80\x99s laptops and deploy security patches. Based on an un-\ncredentialed vulnerability scan with the vulnerability tool, Nessus, these laptops appeared to be\nsufficiently protected with an active personal firewall.\n\nKearney noted opportunities to improve site controls by formally evaluating risks at field\nlocations, establishing baseline controls, defining selected controls in a site-specific Security\nProgram Plan, and establishing an oversight program for field locations.\n\nField Office Scans\n\nThe Kearney Federal Information Security Management Act of 2002 (FISMA) Evaluation Team\nconducted scans to assess site compliance with the Federal Desktop Core Configuration (FDCC)\nand United States Government Compliance Baseline (USGCB) requirements. In order to\nperform this task, Kearney employed the Nessus scanning tool with FDCC USGCB plug-ins to\nscan laptop and desktop computer configurations for all devices at each location.\n\nScope Limitation\n\nDuring the site visits, Kearney determined that the Corporation\xe2\x80\x99s network security configuration\nwould not permit on-site compliance scanning for the SRA-managed desktops and network\ndevices using authenticated credentials (i.e., user ID and password). With the Office of Inspector\nGeneral\xe2\x80\x99s (OIG) concurrence, Kearney and SRA agreed that subsequent scans would occur at the\nend of the FISMA evaluation and be conducted remotely from the Corporation\xe2\x80\x99s Headquarters in\nWashington, D.C. The test results of these scans and associated findings are not included within\nthe scope of this report.\n\nThe OIG has determined that a separate Management Letter will be issued to bring to\nmanagement\xe2\x80\x99s attention Kearney\xe2\x80\x99s concerns over the Corporation\xe2\x80\x99s oversight processes for field\noffices.\n\n\n\n\n                                                 53\n\x0c                                                             CNCS FY 2013 FISMA Evaluation\n                                                                    Final Report for FY 2013\n\n\n\nAPPENDIX D: ABBREVIATIONS AND ACRONYMS\n\nBCP           Business Continuity Plan\nCEO           Chief Executive Officer\nCIO           Chief Information Officer\nCIGIE         Council of Inspectors General on Integrity and Efficiency\nCISO          Chief Information Security Officer\nCO            Contracting Officer\nCorporation   Corporation for National and Community Service\nDHS           Department of Homeland Security\nDRP           Disaster Recovery Plan\nE-Gov         E-Government Act of 2002\neSPAN         Electronic System for Programs, Agreements, and National Service\nFDCC          Federal Desktop Core Configuration\nFIPS          Federal Information Processing Standards\nFISMA         Federal Information Security Management Act of 2002\nFY            Fiscal Year\nHSPD          Homeland Security Presidential Directive\nIAP           Information Assurance Program\nID            Identification\nIG            Inspector General\nISCM          Information Security Continuous Monitoring\nIT            Information Technology\nKearney       Kearney & Company, P.C.\nMDCS          Managed Data Center Services\nNCCC          National Civilian Community Corps\nNFR           Notification of Finding and Recommendation\nNIST          National Institute of Standards and Technology\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\nPII           Personally Identifiable Information\nPIV           Personal Identity Verification\nP.L.          Public Law\nPOA&M         Plan of Actions and Milestones\nPUB           Publication\nPY            Prior Year\nRev.          Revision\nRMF           Risk Management Framework\nSP            Special Publication\nSRA           SRA International, Inc.\nUSGCB         United States Government Compliance Baseline\n\n\n\n\n                                     54\n\x0c                                                                      CNCS FY 2013 FISMA Evaluation\n                                                                             Final Report for FY 2013\n\n\n\nAPPENDIX E: REFERENCED DOCUMENTS\n\nFederal Information Security Management Act of 2002 (FISMA) (Title III, Public Law [P.L.]\nNo. 107-347)\n\nOffice of Management and Budget (OMB):\n\n   \xe2\x80\xa2   Circular A-130, Appendix III, Security of Federal Automated Information Resources\n   \xe2\x80\xa2   Memorandum M-07-19, FY 2007 Reporting Instructions for the Federal Information\n       Security Management Act and Agency Privacy Management\n   \xe2\x80\xa2   Memorandum M-07-16, Safeguarding Against and Responding to the Breach of\n       Personally Identifiable Information\n   \xe2\x80\xa2   Memorandum M-06-15, Safeguarding Personally Identifiable Information\n   \xe2\x80\xa2   Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the\n       E-Government Act of 2002.\n\nFederal Information Processing Standards (FIPS):\n\n   \xe2\x80\xa2   FIPS 200, Minimum Security Requirements for Federal Information and Information\n       Systems\n   \xe2\x80\xa2   FIPS 199, Standards for Security Categorization of Federal Information and Information\n       Systems.\n\nNational Institute of Standards and Technology (NIST) Special Publications (SP):\n\n   \xe2\x80\xa2   800-18, Revision (Rev.) 1, Guide for Developing Security Plans for Federal Information\n       Systems\n   \xe2\x80\xa2   800-30, Risk Management Guide for Information Technology Systems\n   \xe2\x80\xa2   800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems\n   \xe2\x80\xa2   800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal\n       Information Systems\n   \xe2\x80\xa2   800-53, Rev. 3, Recommended Security Controls for Federal Information Systems and\n       Organizations\n   \xe2\x80\xa2   800-53A, Rev. 1, Guide for Assessing the Security Controls in Federal Information\n       Systems and Organizations\n   \xe2\x80\xa2   800-60, Rev. 1, Volume 1: Guide for Mapping Types of Information and Information\n       Systems to Security Categories\n   \xe2\x80\xa2   800-83, Guide to Malware Incident Prevention and Handling\n   \xe2\x80\xa2   800-100, Information Security Handbook: A Guide for Managers.\n\n\n\n\n                                              55\n\x0cIf you want to report or discuss confidentially any instance of\nmisconduct, fraud, waste, abuse, or mismanagement, please\n          contact the Office of Inspector General.\n\n\n\n                        Telephone:\n             The Inspector General\xe2\x80\x99s HOTLINE\n                      (800) 452-8210\n\n\n\nThe deaf or hard of hearing, dial FRS (800) 877-8339 and give\n          the Hotline number to the relay operator.\n\n\n\n                           Web:\n               http://www.cncsoig.gov/hotline\n\n\n\n                          Or Write:\n      Corporation for National and Community Service\n                Office of Inspector General\n                 1201 New York Ave, NW\n                          Suite 830\n                  Washington, DC 20525\n                       (202) 606-9390\n\x0c"